trust root sanity
Martin Atkins
mart at degeneration.co.uk
Wed Jun 22 06:31:55 PDT 2005
Brian Ellin wrote:
> Hello Open Id Folks,
>
> I'm writing some trust root code, and reading from the version 0 spec:
>
> "You can try to pass things like http://*.com/ or http://*.co.uk/, but
> any respectable identity server will protect their users from that."
>
> So what exactly is a sane trust root? Is there any reasonable way of
> determining trust root sanity, and at what point do we leave it in the
> user's hands?
>
> For example is the large umbrella of http://*.k12.va.us/ sane?
> What about just private schools in va: http://*.pvt.k12.va.us/ ?
>
> In my opinion, neither of the above examples are sane, but how could the
> server possibly know?
>
I raised a similar point a while back. The general consensus, I think,
was that the ID server should catch the common cases and leave the user
to notice the more esoteric ones such as your examples here. It's
unlikely that a school will be using OpenID at all, let alone trying to
attack it. ;)
I think a reasonable starting point is that anything with only one
concrete domain is bad. *.museum, *.es, *.org ... all of those bad.
You can't really do much beyond that. Any other generic scheme you can
come up with can be invalidated by a counter example. The only thing
left at this point is to hardcode knowledge about specific domains. For
example, no-one is allowed to register domains directly under .uk, so
*.anything.uk is bad. There are an exceptions even to that rule, though:
www.nic.uk is the UK domain registrar, and www.nhs.uk is the National
Health Service. *.???.uk being allowed isn't good enough, though,
because that would allow *.net.uk. Chaos.
So beyond blocking the top-level stuff, you just have to let the users
sort it out. You could perhaps help by displaying warnings but not
failing completely in suspicious-looking cases, so the user is prompted
to take extra care in checking this URL.
------------------------------------
Another question that could be raised is whether
http://*.livejournal.com/ matches http://livejournal.com/ .
More information about the yadis
mailing list