[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openid-specs
Subject:    HTTP Authentication Bindings for "two-party" OpenID Authentication
From:       mart () degeneration ! co ! uk (Martin Atkins)
Date:       2007-03-31 11:58:48
Message-ID: 460E4CF8.8010200 () degeneration ! co ! uk
[Download RAW message or body]


OpenID is currently only useful for three-party authentication where an 
end user (usually a human) is logging in to an RP with the help of an 
OpenID provider.

However, we do not have a solution for a software agent representing 
itself. Software agents don't need an OpenID Provider in the same sense 
as a human does because they can fill the role of the OpenID Provider 
themselves.

A long time ago I posted a proposal where HTTP Authentication is used as 
a transport for this sort of two-party OpenID Authentication:

     <http://www.lifewiki.net/openid/OpenIDHTTPAuth>

As noted on the wiki page, this is not intended to help non-human agents 
log into traditional RPs (e.g. websites) but rather to be used with 
specialized protocols where one non-human agent needs to talk directly 
to an RP without a user present.

The main problem people had with this at the time was the use of dumb 
mode, due to its vulnerability to MitM-type attacks. I would like a 
two-party authentication protocol like this for use in several 
machine-to-machine protocols I'm designing[1], but I'm reluctant to 
reference it right now while I know people (quite rightly!) have 
reservations about the security of it.

The obvious approach is to specify a way to do DH associations over an 
HTTP authentication protocol. However, it's not clear to me how to do a 
multi-stage authentication handshake efficiently over HTTP auth, since 
HTTP authentication is based around sending the request, getting back a 
401 Unauthorized response and then repeating the request in its entirety 
with appropriate authentication credentials.

I'm told that the Negotiate authentication scheme for Kerberos does this 
by retaining the request as state on the server and having the 
intermediate requests and responses contain no body, but this doesn't 
really seem in the spirit of HTTP.

I'd be interested in any insight that others may have to offer.


-----------------

[1] My hope is that dependent protocols will be able to use 
interchangably either three-party request authentication via "OpenID 
Exchange"[2] or two-party authentication via this specification, so that 
protocols like "Send A Message"[3] will be able to work in both modes.

[2] http://openid.net/wiki/index.php/OpenID_Exchange_1.0

[3] http://openid.net/wiki/index.php/Send_A_Message_Protocol


[prev in list] [next in list] [prev in thread] [next in thread]