Identity in the Browser: Security and Protocol Issues

From IIW

Convener: Jeff Hodges

Notes-taker: Breno de Medeiros


Identity in the Browser and other security topics related to active clients.

Discussion notes:


  • HTTP/S and browser approaches
  • New client approaches (active selectors?)
  • Automatic validation/ auditing

Server convergence of HTTP policy to client:

  • Content-Security Policy
  • Origin header
  • Cross-Origin resource sharing (W3C/HTML5)
  • Content-sniffing
  • Strict transport security (forced HTTPS)

Holder of key in a selector?

  • Access to keying material in shared
  • Binding of keyed material to transport (SRP)
  • Hard to do on sliced hosts …

Consistency for user

  • OP in popup box: easy to spoof?
  • Browser toolbar – privileged chrome
  • address bar must be displayed : what if it isn't?
  • Popup phishing whitelist/blacklist
  • If the RP could really know which id to use, the experience would be softer, but would the user understand?
  • How to best leverage a 2nd authentication setup step?