extentions to OpenID

[Hiroaki KAWAI]

Hi, 

Last few days, I thought about the security considerations, 
and I'd like to suggest some solutions.

1. Add spec that the connection between some_blog and 
openid_url site MAY use https schme to assert that the content 
of the openid_url is surely sent from openid_url server. 
(for man in the middle attack. p_user might be mislead to wrong 
id server and type their password at evil id_serv.)
# https://openid_url

2. Add spec that the connection between some_blog and 
id_serv MAY use https scheme to assert that the arguments
and the signature of the concatenated string is surely sent from 
id_serv server. Mainly to protect the id_serv public key.
(for man in the middle attack)
# https://id_serv
## I think this is less important.

3. Define an extensional spec (out of OpenID spec itself) that 
id_serv MAY send additional identity clue and its DSA signature 
as we do in openid.sig, to achive more high level confirmation. 
The clue MAY contain some IDs that id_serv maintain locally 
(ex, UUID), or some other helper information to validate that 
the user is "p_user".
I'd like to suggest separate signature to achieve wide 
compatibility in an easy way. 
The to utilize the additional information, we should define it 
in separate protocol spec.


where
- p_user     : person to be authenticated
- openid_url : the url that represents P.
- id_serv    : ID server that p_user rely on.
- some_blog  : OpenID consumer site.


Any suggestions?



---Hiroaki Kawai
kawai at iij.ad.jp
Applied Research and Technology Division, 
Technology Department, 
Internet Initiative Japan Inc.