Identity in the Browser: Security and Protocol Issues
From IIW
Convener: Jeff Hodges
Notes-taker: Breno de Medeiros
Tags:
Identity in the Browser and other security topics related to active clients.
Discussion notes:
Items:
- HTTP/S and browser approaches
- New client approaches (active selectors?)
- Automatic validation/ auditing
Server convergence of HTTP policy to client:
- Content-Security Policy
- Origin header
- Cross-Origin resource sharing (W3C/HTML5)
- Content-sniffing
- Strict transport security (forced HTTPS)
Holder of key in a selector?
- Access to keying material in shared
- Binding of keyed material to transport (SRP)
- Hard to do on sliced hosts …
Consistency for user
- OP in popup box: easy to spoof?
- Browser toolbar – privileged chrome
- address bar must be displayed : what if it isn't?
- Popup phishing whitelist/blacklist
- If the RP could really know which id to use, the experience would be softer, but would the user understand?
- How to best leverage a 2nd authentication setup step?