Comments on: Client Side OpenID

By: Kevin Turner

Kevin Turner — Tue, 19 Feb 2008 18:34:15 +0000

Seatbelt, Sxipper, and Information Cards are browser extensions that can all integrate with some existing OPs today.

The infocard WS-* goo isn’t so bad as you might think. There’s a BSD-licensed python implementation for self-issued infocards that you can refer to at http://code.google.com/p/py-self-issued-rp/

By: James

James — Tue, 19 Feb 2008 12:18:13 +0000

The Simile Appalachian OpenID extension has some amount of phishing protection in it, I haven’t investigated how much though.

By: James Henstridge

James Henstridge — Tue, 19 Feb 2008 11:07:55 +0000

alex, steve: the image/text customisation method is already in use at sites like myopenid. Note however that the image needs to be associated with the computer (e.g. via a cookie with a large expiry time) rather than to anything the user types in. If the OP displayed these sorts of customisations during an authentication request at a new computer, then a rogue RP could do the same by proxying the page.

Matthew, John: I am not too surprised to see that someone has done the out-of-band XMPP authentication solution (which is pretty cool!). I haven’t seen anything along the lines of the browser extension I outline, which I think could provide an interesting user experience.

By: Dirk Gently

Dirk Gently — Mon, 18 Feb 2008 23:55:08 +0000

Nice to hear someone is thinking about this. I’ve heard of this kick and just can’t seem to understand why it’s catching on. The browser stores every password I possibly need and though OpenID would be super nice to joining a new site (heck it could even get rid of the signin form in alot of instances), I’m not about to trade security for it.

FF3b4!??? hmmm.

By: Frej Soya

Frej Soya — Mon, 18 Feb 2008 22:19:37 +0000

I’ve been thinking/trying to get openid in mugshot/online.gnome.org (only broken patch so far on local disk). Mugshot would improve if it could auto-detect other web”applications” at sign-up time - so it seems like a good place for an openid-provider.

But the out-of-band extra security dawned on me - there already is a xmpp connection from mugshot client to server - but I wasn’t sure if it actually increased security, and I didn’t stop to think about it.

Motivating that other people believes it does

By: John Drinkwater

John Drinkwater — Mon, 18 Feb 2008 18:47:23 +0000

James, You can achieve this using http://openid.xmpp.za.net/ (this does over-XMPP openid auth like you said), and sameplace.cc, an XMPP firefox extension. You receive a message when you go to log-in, and all you have to do is reply, and then the stall while waiting for http://openid.xmpp.za.net/ to load, unblocks and you log in to the RP. Pretty simple.

Personally I’m not going to touch all the *Card* stuff, seems a little ott and.. controlling, I’m quite happy using regular browser certs, the only thing needing improvement is the usability and awareness for newbs.

By: steve

steve — Mon, 18 Feb 2008 18:47:02 +0000

I was going to suggest the exact same as Alex above. Require the user to upload some picture(or text for accessibility) that they’ll recognise and expect when they go to their genuine site.

By: Owen Taylor

Owen Taylor — Mon, 18 Feb 2008 18:02:02 +0000

To me, reducing the threat of phishing boils down to to one or both of two things: change around the interaction so that the user never expects to have to enter a password on the web, or to eliminate entirely the existence of a password that is useful to phish. Current methods of improving OpenID (require logging in beforehand, make your OP’s page more verifiably authentic etc), all fall down, because they assume the existence of an alert user who understands what is going on and has a good sense of when something unusual happens.

Information Cards have some nice properties… in particular they have a well thought-out user interaction model that does not involve entering passwords into a web page. The biggest problem is probably is that implementing them brings in all sorts of WS-* goo. A client side OP sounds a bit like reinventing information cards. But I think at that point you have to ask what the goals are: to integrate into the OpenID ecosystem? to make things easier to implement by not having WS-*? etc. The worst thing would be to end up with the broken OpenID user interaction, but incompatible with both most OpenID RP’s and with information card RP’s.

By: Matthew

Matthew — Mon, 18 Feb 2008 14:40:53 +0000

Folks are already using XMPP to do it:
http://openid.xmpp.za.net/
http://sameplace.cc/wiki/openid-integration
for example.

By: Rob J. Caskey

Rob J. Caskey — Mon, 18 Feb 2008 13:49:57 +0000

Christopher:

I’m going to me-to the anon fellow above me. Certs are the way of the future, and they should live on the Gnome keychain and be presented in a Cardspace like selector. RPs can select with set of authentication mechanisms they wish to support: my personal preference is that Infocard be the dominate one because Cardspace on windows solves the same problem fairly well, and there are no show-stopper problems with it. The MS-blessed term for generic implementations of Cardspace is Infocard.

There is already a Firefox plugin that sorta-worked last time I checked on it about 9 months ago, it lives at http://code.google.com/p/openinfocard/downloads/list, but I would love to see it in Gnome proper. SSL certs wouldn’t be bad either, but gnome-integration is a must.