[Go-essp-tech] Whitelisting of IDPs
philip.kershaw at stfc.ac.uk
philip.kershaw at stfc.ac.uk
Thu Feb 17 09:27:15 MST 2011
Hi Nate,
One thing to take into consideration is the requirement that OpenID
Providers for use in the federation use HTTPS. Defects in the OpenID spec
make it insecure when run over a non-encrypted connection. Given this, I
think whitelisting has to stay in some form.
Cheers,
Phil
On 17/02/2011 15:44, "Nathan Wilhelmi" <wilhelmi at ucar.edu> wrote:
>Hi,
>
>In released versions of the gateway (1.2.0 and earlier) there are some
>technical reasons for whitelisting which IDPs user's could use. Version
>1.3 contains a significant OpenId overhaul which should remove the
>technical needs for whitelisting IDPs. With version 1.3 if you come in
>from an IDP and the required attributes are not sent via AX the user is
>simply prompted for the needed attributes before continuing. So from the
>user's perspective they should be able to come in from *pretty much* any
>IDP. Internally we have been testing with myopenid.com successfully.
>
>So we have a couple of options:
>
>1) Remove whitelisting all together. We can still have a 'where are you
>from' list of potential IDPs, this doesn't preclude BADC's suggestion.
>We also have some ideas on how we can do a 'forgot my OpenId' to help
>users figure out where they might be from.
>2) Put whitelisting back in, although drive it from the registry service
>rather than shipping XML files with releases.
>3) Put a registry driven blacklist in place. If we find a few IDPs cause
>problems we can blacklist those and let users freely use other ones.
>
>Thoughts as to what direction to head?
>
>Thanks!
>
>-Nate
>_______________________________________________
>GO-ESSP-TECH mailing list
>GO-ESSP-TECH at ucar.edu
>http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
--
Scanned by iCritical.
More information about the GO-ESSP-TECH
mailing list