NextForOpenID

From IIW

Facilitators: Dick and Josh

Purpose: Now that OpenID Authentication 2.0 is final, it's time to decide what to tackle next. What are OpenID's current weaknesses? Where can we improve it?

Notes:

  • Are we done? Should OpenID add more features for e.g. high-value transactions?
    • Answer: audience is still asleep at 9 AM.


Weaknesses we should address

  • OpenID phishability concerns (it's too easy for a malicious RP to

redirect to a MitM OP and for the user to not notice.)

  • Concerns about allowing for secure channels (i.e. HTTPS)
[ed. it's not clear if this is a weakness in a protocol or a lack of understanding in the person raising the issue.]
  • Performance - too many redirects. The experience of logging in with OpenID is slower than direct credentials.
  • CardSpace and OpenID - can we remove confusion in the market by merging these?
  • Longetivity. OpenID stays secure only as long as the domain does. When you lose the domain, not only do you lose access to the resources, but someone else can gain access to all of them. (The identifier is more reassignable than we want it to be.) "Identifier control."
Digital certificates would be one answer.
  • OpenID authentication from a non-browser client.
  • Synonymous identifiers.
  • Browser integration -- what does it mean? (see also "less geeky UI")
  • Establishing delegation with XRDS. (I want example.com to delegate to example.provider.net, how do I keep the Service records reported by example.com accurate with regards to the endpoint at provider.net.)


Identifier Management

  • "I got an OpenID somewhere, where did I get it from?"

"I have Yahoo!, LJ, AOL, which should I use to log in?"

  • "I have an email address, how do I find out my OpenID?"
  • Typing in a URL is "too geeky"


Concerns we think we've already addressed

  • OP certification?
The protocol currently allows an RP to whitelist OPs. From a protocol design perspective, 2.0 is sufficient.
  • RP session re-validation
User logs in to RP1, then RP2, uses RP2 for a while, and then finds RP1 has expired. Seems to be addressed by checkid_immediate.
  • Sending complex data types through OpenID.
Currently addressed by the fact that you can move encoded rich data through AX.