Introduction to FIDO (101 Session)

From IIW

Introduction to FIDO (101 Session)


Day/Session:Tuesday 4B

Convener:Chris Streeks

Notes-taker(s): Romain Lenglet


Tags for the session – Technology discussed/ideas considered:

Web Finger

DNS


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


 "How to authenticate a user given its identifier?" boils down to "How to find the user's IdP?"

  • WebFinger specifies well-known URIs
    • RFC 7033
    • https://<domain>/.well_known/webfinger
  • Proposal: use 2+ levels of DNS subdomains instead
    • <whatever>.well_known.<domain>
    • It's easier to setup a DNS subdomain / CNAME than well-known URIs, redirects, etc.
  • Problems with this proposal identified by audience
    • The discussion is limited to resolving an IdP from an identifier that has a domain name, esp. an email address
    • It wouldn't work with other identifiers, e.g. employee ID, phone numbers, bank account numbers
    • Also, this solves only a small part of the overall problem of connecting an SP with an IdP
      • The IdP must also be setup with the ID+secret of the SP etc
    • Need to protect against MITM, which is easier with DNS
  • There is already an RFC draft specifying the use of an "_openid" TXT records for OpenID: https://tools.ietf.org/html/draft-sanz-openid-dns-discovery-00
    • But it's not user-friendly: one can't "curl" a TXT record
  • There is an RFC to do DNS queries over HTTPS
    • However, that standard is underspecified
    • The responses are binary DNS replies in HTTP reply bodies, which makes that protocol hard to use