Comments on: OpenID - Part III - PingPong http://enthusiasm.cozy.org/archives/2005/05/openid-part-iii-pingpong Ben Hyde Sun, 12 Oct 2008 23:37:39 +0000 http://wordpress.org/?v=2.5.1 By: The Security Roundtable » Blog Archive » The Security Roundtable for February 2007 - OpenID http://enthusiasm.cozy.org/archives/2005/05/openid-part-iii-pingpong#comment-54438 The Security Roundtable » Blog Archive » The Security Roundtable for February 2007 - OpenID Thu, 15 Mar 2007 19:55:18 +0000 http://enthusiasm.cozy.org/archives/2005/05/openid-part-iii-pingpong/#comment-54438 [...] OpenID pingpong - http://enthusiasm.cozy.org/archives/2005/05/openid-part-iii-pingpong/ [...] [...] OpenID pingpong - http://enthusiasm.cozy.org/archives/2005/05/openid-part-iii-pingpong/ [...]

]]> By: it06.free.fr - Openid : une nouvelle vision décentralisée de la gestion de l’identité numérique. http://enthusiasm.cozy.org/archives/2005/05/openid-part-iii-pingpong#comment-53854 it06.free.fr - Openid : une nouvelle vision décentralisée de la gestion de l’identité numérique. Sun, 11 Mar 2007 21:13:47 +0000 http://enthusiasm.cozy.org/archives/2005/05/openid-part-iii-pingpong/#comment-53854 [...] La dynamique complète d’authentification est donnée dans l’article “openid pingpong”. [...] [...] La dynamique complète d’authentification est donnée dans l’article “openid pingpong”. [...]

]]> By: Charles Darke http://enthusiasm.cozy.org/archives/2005/05/openid-part-iii-pingpong#comment-52278 Charles Darke Tue, 06 Mar 2007 13:25:28 +0000 http://enthusiasm.cozy.org/archives/2005/05/openid-part-iii-pingpong/#comment-52278 At or around stage 9 in the diagram. If Bob turned evil and wanted to log onto Trevor site (impersonating Alice) could Bob do this? That is, Bob would log on to Trevor and use any information previously given by Alice etc. to try to authenticate. At or around stage 9 in the diagram. If Bob turned evil and wanted to log onto Trevor site (impersonating Alice) could Bob do this? That is, Bob would log on to Trevor and use any information previously given by Alice etc. to try to authenticate.

]]> By: Brian http://enthusiasm.cozy.org/archives/2005/05/openid-part-iii-pingpong#comment-50621 Brian Wed, 28 Feb 2007 10:17:25 +0000 http://enthusiasm.cozy.org/archives/2005/05/openid-part-iii-pingpong/#comment-50621 @Cheryl - As you pointed out, the basic problem to solve is how to verify if the person entering the URL is actually the person who OWNS the URL. Steve doesn't actually know anything about the person entering the URL on his web page. The URL says to ask Victor, so Steve will actually make the request to Victor indirectly, by redirecting Alice's browser to an authentication URL at Victor. Thus, Victor will receive Alice's cookies in this redirected request, and these cookies may contain a token that represents Alice's login session with Victor, if she has already logged into Victor once before. In this case, Victor knows Alice already, and also knows if the URL belongs to Alice. Thus, Victor can answer YES or NO and sign the answer using a shared key only Victor and Steve know. The signed answer is sent back to Steve and Steve can verify the signature came from Victor. If Alice has never logged into Victor before, Alice will not yet have a session cookie with Victor, and Victor will present Alice with a login page. Alice (or the bad guy using Alice's URL) must now log into Victor with a username/password and get a session cookie with Victor before Victor can answer Steve with YES or NO. So you cannot simply pose as Alice by using her URL on an OpenID site, unless you know Alice's username/password with Victor. If you are Alice, and you've already logged into Victor once, you can use your OpenID URL at any OpenID site without ever needing to enter a username/password again (until your session expires with Victor) Hope that clears it up. Cheers! -- Brian @Cheryl - As you pointed out, the basic problem to solve is how to verify if the person entering the URL is actually the person who OWNS the URL.

Steve doesn’t actually know anything about the person entering the URL on his web page. The URL says to ask Victor, so Steve will actually make the request to Victor indirectly, by redirecting Alice’s browser to an authentication URL at Victor. Thus, Victor will receive Alice’s cookies in this redirected request, and these cookies may contain a token that represents Alice’s login session with Victor, if she has already logged into Victor once before. In this case, Victor knows Alice already, and also knows if the URL belongs to Alice. Thus, Victor can answer YES or NO and sign the answer using a shared key only Victor and Steve know. The signed answer is sent back to Steve and Steve can verify the signature came from Victor.

If Alice has never logged into Victor before, Alice will not yet have a session cookie with Victor, and Victor will present Alice with a login page. Alice (or the bad guy using Alice’s URL) must now log into Victor with a username/password and get a session cookie with Victor before Victor can answer Steve with YES or NO.

So you cannot simply pose as Alice by using her URL on an OpenID site, unless you know Alice’s username/password with Victor. If you are Alice, and you’ve already logged into Victor once, you can use your OpenID URL at any OpenID site without ever needing to enter a username/password again (until your session expires with Victor)

Hope that clears it up.
Cheers!
– Brian

]]> By: Cheryl http://enthusiasm.cozy.org/archives/2005/05/openid-part-iii-pingpong#comment-41941 Cheryl Wed, 31 Jan 2007 00:35:10 +0000 http://enthusiasm.cozy.org/archives/2005/05/openid-part-iii-pingpong/#comment-41941 First off, I'm a non-techie. I'm getting confused at steps 12-14. How does Victor check that it's actually Alice who is asking and not just someone who knows Alice's OpenID URL? Thanks. First off, I’m a non-techie.

I’m getting confused at steps 12-14. How does Victor check that it’s actually Alice who is asking and not just someone who knows Alice’s OpenID URL?

Thanks.

]]>