[ANN] NameID - Use namecoin id/ to log into OpenID sites
Re: [ANN] NameID - Use namecoin id/ to log into OpenID sites
The phpbb plugin may use an old version of this lib.
However, the following url uses the new one :
https://dot-bit.org/forum/openid2/examples/discover.php
I missed a step in adding the startCom certificate into debian (ln -s /etc/ssl/certs/StartCom_Class_1_Primary_Intermediate_Server.crt /etc/ssl/certs/ea59305e.0).
It's now better, but Alternative Names are still not recognized by wget (it seems to be a bug in wget < 1.13-1) :
wget -S -O /dev/null https://www.nameid.org/ => OK
wget -S -O /dev/null https://nameid.org/ => http://www.nameid.org != nameid.org
So, this is now working :
https://dot-bit.org/forum/openid2/examp ... eid.org%2F
And, with the phpBB plugin, it seems to work with AND without 'www', good :p
I'm now redirected to the nameid sign-in page.
Next : I'll test the challenge message with my id :p
However, the following url uses the new one :
https://dot-bit.org/forum/openid2/examples/discover.php
I missed a step in adding the startCom certificate into debian (ln -s /etc/ssl/certs/StartCom_Class_1_Primary_Intermediate_Server.crt /etc/ssl/certs/ea59305e.0).
It's now better, but Alternative Names are still not recognized by wget (it seems to be a bug in wget < 1.13-1) :
wget -S -O /dev/null https://www.nameid.org/ => OK
wget -S -O /dev/null https://nameid.org/ => http://www.nameid.org != nameid.org
So, this is now working :
https://dot-bit.org/forum/openid2/examp ... eid.org%2F
And, with the phpBB plugin, it seems to work with AND without 'www', good :p
I'm now redirected to the nameid sign-in page.
Next : I'll test the challenge message with my id :p
NamecoinID: id/khal
GPG : 9CC5B92E965D69A9
NMC: N1KHAL5C1CRzy58NdJwp1tbLze3XrkFxx9
BTC: 1KHAL8bUjnkMRMg9yd2dNrYnJgZGH8Nj6T
Register Namecoin domains with BTC
My bitcoin Identity - Send messages to bitcoin users
Charity Ad - Make a good deed without paying a cent
GPG : 9CC5B92E965D69A9
NMC: N1KHAL5C1CRzy58NdJwp1tbLze3XrkFxx9
BTC: 1KHAL8bUjnkMRMg9yd2dNrYnJgZGH8Nj6T
Register Namecoin domains with BTC
My bitcoin Identity - Send messages to bitcoin users
Charity Ad - Make a good deed without paying a cent
Re: [ANN] NameID - Use namecoin id/ to log into OpenID sites
From: https://nameid.org/?action=login&view=login
=> You are currently logged in as id/khal. Should we confirm your identity to the requesting page below?
After clicking "Yes" :
Next try :
- nameid.org already recognize me (no need to sign the challenge again) : You are currently logged in as id/khal. Should we confirm your identity to the requesting page below?
- I click on "Yes"
- I am logged as "khal"
Here is the URLs you can use to test the openid login :
If all is working as it should, I'll activate the feature.
=> You are currently logged in as id/khal. Should we confirm your identity to the requesting page below?
After clicking "Yes" :
My existing phpBB account should have been linked with my openId account (in the db I see this url associated with my account : https://nameid.org/?name=khal).Create OpenID Account
You have been verified as OpeniD: https://nameid.org/?name=khal
Either your OpenID provider did not supply a valid Username and email, or the username was already taken. Please fill in these details to create your account.
Register:
...
Or you can bind this OpenID to an existing forum account.
...
Next try :
- nameid.org already recognize me (no need to sign the challenge again) : You are currently logged in as id/khal. Should we confirm your identity to the requesting page below?
- I click on "Yes"
- I am logged as "khal"
Here is the URLs you can use to test the openid login :
Please, test and provide some feedback
If all is working as it should, I'll activate the feature.
NamecoinID: id/khal
GPG : 9CC5B92E965D69A9
NMC: N1KHAL5C1CRzy58NdJwp1tbLze3XrkFxx9
BTC: 1KHAL8bUjnkMRMg9yd2dNrYnJgZGH8Nj6T
Register Namecoin domains with BTC
My bitcoin Identity - Send messages to bitcoin users
Charity Ad - Make a good deed without paying a cent
GPG : 9CC5B92E965D69A9
NMC: N1KHAL5C1CRzy58NdJwp1tbLze3XrkFxx9
BTC: 1KHAL8bUjnkMRMg9yd2dNrYnJgZGH8Nj6T
Register Namecoin domains with BTC
My bitcoin Identity - Send messages to bitcoin users
Charity Ad - Make a good deed without paying a cent
-
- Posts: 309
- Joined: Tue Jul 19, 2011 9:33 pm
Re: [ANN] NameID - Use namecoin id/ to log into OpenID sites
Khal,
i have sent you 173 messages, but not one reply (maybe slight over exaggeration )
did you review the new patch, and will you update block explorer and repos (when you think it's ok)
are you back now or still busy?
i have sent you 173 messages, but not one reply (maybe slight over exaggeration )
did you review the new patch, and will you update block explorer and repos (when you think it's ok)
are you back now or still busy?
Re: [ANN] NameID - Use namecoin id/ to log into OpenID sites
snailbrain, I replied there : https://dot-bit.org/forum/viewtopic.php?p=6808#p6808
NamecoinID: id/khal
GPG : 9CC5B92E965D69A9
NMC: N1KHAL5C1CRzy58NdJwp1tbLze3XrkFxx9
BTC: 1KHAL8bUjnkMRMg9yd2dNrYnJgZGH8Nj6T
Register Namecoin domains with BTC
My bitcoin Identity - Send messages to bitcoin users
Charity Ad - Make a good deed without paying a cent
GPG : 9CC5B92E965D69A9
NMC: N1KHAL5C1CRzy58NdJwp1tbLze3XrkFxx9
BTC: 1KHAL8bUjnkMRMg9yd2dNrYnJgZGH8Nj6T
Register Namecoin domains with BTC
My bitcoin Identity - Send messages to bitcoin users
Charity Ad - Make a good deed without paying a cent
Re: [ANN] NameID - Use namecoin id/ to log into OpenID sites
khal, that is great! Thanks for working on it further, I'm looking forward to trying it out (when I'm at home where I have my names).
BTC: 1domobKsPZ5cWk2kXssD8p8ES1qffGUCm | NMC: NCdomobcmcmVdxC5yxMitojQ4tvAtv99pY
BM-GtQnWM3vcdorfqpKXsmfHQ4rVYPG5pKS
Use your Namecoin identity as OpenID: https://nameid.org/
BM-GtQnWM3vcdorfqpKXsmfHQ4rVYPG5pKS
Use your Namecoin identity as OpenID: https://nameid.org/
-
- Posts: 541
- Joined: Mon May 20, 2013 12:03 pm
- Contact:
Re: [ANN] NameID - Use namecoin id/ to log into OpenID sites
Good news Khal.
I see on the bottom 2 input fields:
Login Using OpenID
Login with your Provider user name
Login with your OpenID URL
and a list:
.icon http://{your-openid-url}
.icon https://www.google.com/accounts/o8/id
.icon http://yah-oo.com/
.icon http://openid.aol.com/username
.icon http://username.myopenid.com/
.icon http://flickr.com/
.icon http://username.wordpress.com
.icon http://username.blogspot.com/
.icon http://claimid.com/username
.icon http://username.myvidoop.com/
.icon http://username.pip.verisignlabs.com/
I guess this are the supported identity providers and
.icon stands for some blocked buttons.
As I see both login fields if I insert https://nameid.org/?name=namecoinidentity are redirecting to the namecoinidentity login.
I see on the bottom 2 input fields:
Login Using OpenID
Login with your Provider user name
Login with your OpenID URL
and a list:
.icon http://{your-openid-url}
.icon https://www.google.com/accounts/o8/id
.icon http://yah-oo.com/
.icon http://openid.aol.com/username
.icon http://username.myopenid.com/
.icon http://flickr.com/
.icon http://username.wordpress.com
.icon http://username.blogspot.com/
.icon http://claimid.com/username
.icon http://username.myvidoop.com/
.icon http://username.pip.verisignlabs.com/
I guess this are the supported identity providers and
.icon stands for some blocked buttons.
As I see both login fields if I insert https://nameid.org/?name=namecoinidentity are redirecting to the namecoinidentity login.
http://namecoinia.org/
Calendars for free to print: 2014 Calendar in JPG | 2014 Calendar in PDF Protect the Environment with Namecoin: 2014 Calendar in JPG | 2014 Calendar in PDF
BTC: 15KXVQv7UGtUoTe5VNWXT1bMz46MXuePba | NMC: NABFA31b3x7CvhKMxcipUqA3TnKsNfCC7S
Calendars for free to print: 2014 Calendar in JPG | 2014 Calendar in PDF Protect the Environment with Namecoin: 2014 Calendar in JPG | 2014 Calendar in PDF
BTC: 15KXVQv7UGtUoTe5VNWXT1bMz46MXuePba | NMC: NABFA31b3x7CvhKMxcipUqA3TnKsNfCC7S
Re: [ANN] NameID - Use namecoin id/ to log into OpenID sites
I can see a potential attack on this scheme when your login works for multiple sites (A, B). It would work as follows:
1. User (U) attempts to log into site A.
2. Malicious site A sends a log in request to B as the user to receive a challenge (C).
3. A sends U the challenge C.
4. U signs C and sends A sign(k,C).
5. A sends B sign(k,C). Now A is authenticated as A on
Does the system protect against this? Also, do challenges time out?
1. User (U) attempts to log into site A.
2. Malicious site A sends a log in request to B as the user to receive a challenge (C).
3. A sends U the challenge C.
4. U signs C and sends A sign(k,C).
5. A sends B sign(k,C). Now A is authenticated as A on
Does the system protect against this? Also, do challenges time out?
-
- Posts: 2001
- Joined: Tue Jun 05, 2012 6:25 am
- os: linux
Re: [ANN] NameID - Use namecoin id/ to log into OpenID sites
Is your inquiry directed at the OpenID gateway, or the trust-free library?jprider63 wrote:I can see a potential attack on this scheme when your login works for multiple sites (A, B). It would work as follows:
1. User (U) attempts to log into site A.
2. Malicious site A sends a log in request to B as the user to receive a challenge (C).
3. A sends U the challenge C.
4. U signs C and sends A sign(k,C).
5. A sends B sign(k,C). Now A is authenticated as A on
Does the system protect against this? Also, do challenges time out?
Re: [ANN] NameID - Use namecoin id/ to log into OpenID sites
Not sure I understand exactly what you have in mind (namely, OpenID gateway vs trust-free library as biolizard89 asked already), but I don't see a problem here. In the first case, there's no problem at all, because the login only works at the OpenID gateway anyway. So assume the latter case. For this, however, the challenges include the URI of the site the user wants to log in (and the Mozilla add-on automatically inserts the actual URI, so a malicious site can't trick the add-on into signing challenges for other sites).jprider63 wrote:I can see a potential attack on this scheme when your login works for multiple sites (A, B). It would work as follows:
1. User (U) attempts to log into site A.
2. Malicious site A sends a log in request to B as the user to receive a challenge (C).
3. A sends U the challenge C.
4. U signs C and sends A sign(k,C).
5. A sends B sign(k,C). Now A is authenticated as A on
Does the system protect against this? Also, do challenges time out?
Challenges don't have an explicit time-stamp, but of course they time out when the server clears the session. Challenge nonces are stored as part of the session. I hope I could make myself clear about how the system works - if you still see a potential vulnerability, please let me know so I can think about a fix! (But I don't see one at the moment, although I'm no professional cryptographer.)
BTC: 1domobKsPZ5cWk2kXssD8p8ES1qffGUCm | NMC: NCdomobcmcmVdxC5yxMitojQ4tvAtv99pY
BM-GtQnWM3vcdorfqpKXsmfHQ4rVYPG5pKS
Use your Namecoin identity as OpenID: https://nameid.org/
BM-GtQnWM3vcdorfqpKXsmfHQ4rVYPG5pKS
Use your Namecoin identity as OpenID: https://nameid.org/
Re: [ANN] NameID - Use namecoin id/ to log into OpenID sites
I suppose it would be easier to reason about if the protocol was written up and published. From what I can tell, U requests a log in to A. A returns C, which is composed of U's id and a nonce. U signs the challenge and returns it to A. A verifies the challenge and logs U in.domob wrote:Not sure I understand exactly what you have in mind (namely, OpenID gateway vs trust-free library as biolizard89 asked already), but I don't see a problem here. In the first case, there's no problem at all, because the login only works at the OpenID gateway anyway. So assume the latter case. For this, however, the challenges include the URI of the site the user wants to log in (and the Mozilla add-on automatically inserts the actual URI, so a malicious site can't trick the add-on into signing challenges for other sites).jprider63 wrote:I can see a potential attack on this scheme when your login works for multiple sites (A, B). It would work as follows:
1. User (U) attempts to log into site A.
2. Malicious site A sends a log in request to B as the user to receive a challenge (C).
3. A sends U the challenge C.
4. U signs C and sends A sign(k,C).
5. A sends B sign(k,C). Now A is authenticated as A on
Does the system protect against this? Also, do challenges time out?
Challenges don't have an explicit time-stamp, but of course they time out when the server clears the session. Challenge nonces are stored as part of the session. I hope I could make myself clear about how the system works - if you still see a potential vulnerability, please let me know so I can think about a fix! (But I don't see one at the moment, although I'm no professional cryptographer.)
What is the trust-free library? A plug in that allows many sites to use this protocol for authentication?
The attack I mentioned would work when a user can use this authentication protocol to log into multiple sites (ignore OpenID). Perhaps having the Mozilla add-on insert the actual URI could offer some protection, however it may still leave open social engineering attacks like phishing. Also, if the user is being man-in-the-middled, he could be tricked into signing a challenge for a different site.
A potential solution to this problem would be to include the website's public key in the challenge (or /d name so this could be recovered). Client side software (Mozilla add-on) should probably keep a list of known public keys (or /d names) like SSH does. The user can then verify a site's information and public key while logging into a site for the first time. The response could then be improved so that it is encrypted using the site's public key. Therefore the response is only good for that site since only that site can decrypt the challenge.