At http://OpenIDbyCard.com/ they have a way of acting as a proxy for a self issued info-Card to be used as a login at a openID Reliant party, like Plaxo.
It is a interesting proof of concept. I encourage people to try it.
However remember that the claimed_ID of the openID login is a hash generated from that selfissued cards ppid at http://OpenIDbyCard.com/ hashed with the realm of the openID RP.
What that means is that if anything happens to the card the identity is gone forever. Also if you move the card to another computer the identity changes. Just a caution, you may just want to use it for testing at this point.
The other approach that we are using at Linksafe.name is to bind a self issued card to your openID login at the OP. This provides the benefits of a traditional OpenID with the Phishing resistance of an info-card login.
If you loose the info-card or change computers you can associate a new self-issued card with your openID account.
I am the first to admit that these are only half steps to a more ideal Phishing resistance, and usability marriage between openID and info-cards.
The guys at fun.de have a good demo of how easy it is to Phish openIDs at http://idtheft.fun.de/
Warning this will Phish your OpenID password!!! That however is the point they are making.
Note this is only one of the possible attacks, depending on how your OP is set up.
If you aren't feeling brave Mike Jones steps though the site on his blog http://self-issued.info/?p=73
I am looking forward to working with fun.de and others interested in creating a better openID info-card that can be used to directly login to a RP and assert a verifiable OpenID to initiate service discovery for oAuth and ID-WSF.
More on that as I move the project along.
=jbradley
Profile
![[info]](http://l-stat.livejournal.com/img/userinfo.gif)
thread_safe- John Bradley
![[info]](http://l-stat.livejournal.com/img/openid-profile.gif){kind=small}
Comments
While I agree with most of your points, please allow me to comment on the statements “What that means is that if anything happens to the card the identity is gone forever” and “if you move the card to another computer the identity changes”.
“If anything happens to the card” can be mitigated in two ways. First, the card can be backed up. (In fact, during the OSIS http://osis.idcommons.net/ interops, backup and restore was tested between different identity selectors.) Second, just as sites typically have “lost password” procedures to re-establish control of an account, “lost Information Card” and “lost OpenID” procedures should also be in place. See http://self-issued.info/?p=26 for guidance on establishing these procedures for sites using Information Cards.
Also I disagree that “if you move the card to another computer the identity changes”. In fact, some of the core OSIS interop tests verify that the identity is preserved when moving cards between selectors.
-- Mike
It may just have been when downloading the card to multiple computers that we had problems with the key material generating different PPIDS.
I need to go back over the OSIS interop tests and check.
In any event I recommend people use a infocard or other Phishing resistant method for authenticating to there openID OP.
In a worst case senario at linksafe you can always create a new self issued card to use by logging in directly to your management interface with your password, or do a recovery email.
With the proxy you are a bit at the mercy of someone you have no relationship with. I can see it as an aditional service that an openID OP might offer. However a site like that is a perfect way to gather account information if run by unscrupulous people.
Now I know the fun.de guys arn't like that, and they aren't logging the PPIDs, but others might.
People need to remember that in the openID world your OP can always log into your sites as you. You need to trust the OP, it should not be a casual relationship if you are using the login at sites you care about.
Perhaps I am paranoid but that is part of my limited charm:)
What we need are more sites that take infocards directly.
Mike please do something about that will you:)
=jbradley
Edited at 2008-05-27 03:51 am (UTC)
The attacks that fun.de is demonstrating would allow an attacker to get into the RP. Yes they need to phish you each time. However they may only need to get in once depending on the RP.
The best thing is to combine a token with a phishing resistant IDP.
Infocards are just one way to make a IDP phishing resistant.
I see tokens as a complimentary technology.
I am working with a couple of OTP vendors to make sure they can plug there authentication into any proposed solution.
I am happy to talk to Yubikey if they are interested.
Regards
=jbradley