Introduction to FIDO (101 Session)
From IIW
Introduction to FIDO (101 Session)
Day/Session:Tuesday 4B
Convener:Chris Streeks
Notes-taker(s): Romain Lenglet
Tags for the session – Technology discussed/ideas considered:
Web Finger
DNS
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
"How to authenticate a user given its identifier?" boils down to "How to find the user's IdP?"
- WebFinger specifies well-known URIs
- RFC 7033
- https://<domain>/.well_known/webfinger
- Proposal: use 2+ levels of DNS subdomains instead
- <whatever>.well_known.<domain>
- It's easier to setup a DNS subdomain / CNAME than well-known URIs, redirects, etc.
- Problems with this proposal identified by audience
- The discussion is limited to resolving an IdP from an identifier that has a domain name, esp. an email address
- It wouldn't work with other identifiers, e.g. employee ID, phone numbers, bank account numbers
- Also, this solves only a small part of the overall problem of connecting an SP with an IdP
- The IdP must also be setup with the ID+secret of the SP etc
- Need to protect against MITM, which is easier with DNS
- There is already an RFC draft specifying the use of an "_openid" TXT records for OpenID: https://tools.ietf.org/html/draft-sanz-openid-dns-discovery-00
- But it's not user-friendly: one can't "curl" a TXT record
- There is an RFC to do DNS queries over HTTPS
- However, that standard is underspecified
- The responses are binary DNS replies in HTTP reply bodies, which makes that protocol hard to use