Special purpose User-Agents

[David Kolf]

I noticed OpenID when I was looking for a way to support identification
for multiplayer games.  In many games you can run your own server, but
you had no way to verify the identity of the players or you had to use
your own local registry.  OpenID would be a good solution.

However, OpenID currently requires either cookies as "password" or it
requires you to log in to a special website.  Your game client would not
know the cookie and could not display the website.  I browsed the
archive and noticed that Mart mentioned this problem in May.

The solution that was proposed in May was to start a local, temporary
http server and to open the default browser in order to do the
authentification.  This works, but it would not look smooth if the game
client would open a browser each time you connect to a server.

Would it be possible to submit an extra value "openid.password=xyz" in
the check_immediate mode to the identity server?  This would not be very
safe, but the login cookie that is currently used by the browser is no
safer.

I noticed one security hole in this approach, that could be used for
scam: the game server (the consumer) could send you to a rogue identity
server in the hope that your password ends up there.  This hole could be
fixed in the User-Agent.  The User-Agent would load the identity URL,
too, and would therefore know the URL of the correct identity server.
In case the consumer tries to send it elsewhere it will refuse.

Of course you would still have to trust the User-Agent.  But with free
software where you can check the source this should not be a problem.

- David Kolf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : http://lists.danga.com/pipermail/yadis/attachments/20050801/24adeb6e/signature.pgp