Comments on: OpenID – Part III – PingPong

By: How OpenID works | neumeier.org

How OpenID works | neumeier.org — Sun, 04 Jan 2009 19:08:06 +0000

[...] Part3 and flowchart: http://enthusiasm.cozy.org/archives/2005/05/openid-part-iii-pingpong [...]

By: The Security Roundtable » Blog Archive » The Security Roundtable for February 2007 - OpenID

Thu, 15 Mar 2007 19:55:18 +0000

[...] OpenID pingpong – http://enthusiasm.cozy.org/archives/2005/05/openid-part-iii-pingpong/ [...]

By: it06.free.fr - Openid : une nouvelle vision décentralisée de la gestion de l’identité numérique.

Sun, 11 Mar 2007 21:13:47 +0000

[...] La dynamique complète d’authentification est donnée dans l’article “openid pingpong”. [...]

By: Charles Darke

Charles Darke — Tue, 06 Mar 2007 13:25:28 +0000

At or around stage 9 in the diagram. If Bob turned evil and wanted to log onto Trevor site (impersonating Alice) could Bob do this? That is, Bob would log on to Trevor and use any information previously given by Alice etc. to try to authenticate.

By: Brian

Brian — Wed, 28 Feb 2007 10:17:25 +0000

@Cheryl – As you pointed out, the basic problem to solve is how to verify if the person entering the URL is actually the person who OWNS the URL.

Steve doesn’t actually know anything about the person entering the URL on his web page. The URL says to ask Victor, so Steve will actually make the request to Victor indirectly, by redirecting Alice’s browser to an authentication URL at Victor. Thus, Victor will receive Alice’s cookies in this redirected request, and these cookies may contain a token that represents Alice’s login session with Victor, if she has already logged into Victor once before. In this case, Victor knows Alice already, and also knows if the URL belongs to Alice. Thus, Victor can answer YES or NO and sign the answer using a shared key only Victor and Steve know. The signed answer is sent back to Steve and Steve can verify the signature came from Victor.

If Alice has never logged into Victor before, Alice will not yet have a session cookie with Victor, and Victor will present Alice with a login page. Alice (or the bad guy using Alice’s URL) must now log into Victor with a username/password and get a session cookie with Victor before Victor can answer Steve with YES or NO.

So you cannot simply pose as Alice by using her URL on an OpenID site, unless you know Alice’s username/password with Victor. If you are Alice, and you’ve already logged into Victor once, you can use your OpenID URL at any OpenID site without ever needing to enter a username/password again (until your session expires with Victor)

Hope that clears it up.
Cheers!
– Brian

By: Cheryl

Cheryl — Wed, 31 Jan 2007 00:35:10 +0000

First off, I’m a non-techie.

I’m getting confused at steps 12-14. How does Victor check that it’s actually Alice who is asking and not just someone who knows Alice’s OpenID URL?

Thanks.

By: Stephen Pascoe’s Blog» Blog Archive » OpenID and LID compared

Stephen Pascoe’s Blog» Blog Archive » OpenID and LID compared — Fri, 13 Oct 2006 15:15:05 +0000

[...] ely documented here. I recommend looking at the diagram Ben Hyde’s blog entry to see a visual representation of the process. LID: The protocol [...]

By: Lopo Lencastre de Almeida

Lopo Lencastre de Almeida — Tue, 04 Jul 2006 15:29:54 +0000

This is very interesting for remote administration (TAx Authorities, Healthcare systems, etc).
We are going to look further on this to deal with remote identification in Care2x and Care3G.

Thanks for the nice explanation and all comments.

Best regards

By: This Old Network » OpenID enabled claimID - almost here

This Old Network » OpenID enabled claimID - almost here — Tue, 06 Jun 2006 17:39:30 +0000

[...] t couple weeks getting claimID ready for her transition to being both an OpenID server and consumer. We will be able to add a layer of user-centered verification and [...]

By: Steven J. Murdoch

Steven J. Murdoch — Wed, 17 May 2006 19:43:14 +0000

I also produced a protocol diagram, which goes into a little bit more detail in the message content/cryptography, and includes the association phase, but otherwise is largely similar. I hope it will also be of help.