Re: Strong authentication for PayPal versus WebPayments

On 05/15/2014 05:18 PM, Manu Sporny wrote:
> How it Works
> ------------
> 
> Here's what the Open Credentials login process looks like (right now,
> it's still under development):
> 
> 1. Website provides a "Sign In" button.
> 2. The browser displays a pop-up login screen on a login mixnet
>    requesting email + passphrase. This step can be done in the
>    same way that Persona did it - a shim that doesn't require any
>    browser buy-in in the beginning. The login mixnet is required
>    to ensure that your identity provider can't track which sites
>    you're logging in to and sending your private information to.
> 3. The user types in their email and passphrase. A hash is created
>    from the email and passphrase and a query is sent to a
>    Telehash network (DHT-based decentralized network). All identity
>    providers are connected to this network, and your one is looking out
>    for a particular query matching the hash you generated. Once it
>    detects it, your identity provider responds with an encrypted
>    chunk that is then decrypted using the passphrase.
> 4. The decrypted chunk contains a private key that can then be used
>    to counter-sign data sent from the identity provider.

Note that the design may change so that this "login" private key may
instead be stored using WebCrypto/LocalStorage via your IdP. This would
mean that the only information stored in the encrypted data returned via
Telehash would be the URL to your IdP. This may help protect against
phishing and other attacks, etc.


-- 
Dave Longley
CTO
Digital Bazaar, Inc.

Received on Thursday, 15 May 2014 22:34:51 UTC