2014/SF/IndieAuth

 IndieAuth Security  was one of several discussion sessions at IndieWebCamp 2014/SF.

Notes here are archived from https://etherpad.mozilla.org/indiewebcamp-indieauth

IndieAuth Security

When: 2014-03-07 16:15


 * HTTPS is a requirement
 * Authorization vs Authentication

https://github.com/indieweb/indieauth-client-php


 * Auth server pinning?
 * Seems like a good idea, needs more work (maybe even just add TTL to the auth server link, need nocache on the home page too)
 * OpenID has the same problem. Has any research been done there?
 * XMPP solved this by not allowing the XMPP server to specify the auth, it has to happen at the DNS layer
 * harder to hijack a DNS entry than it is to hijack a web page
 * Webfinger - a lot of discussion about using DNS, but decided not to. But the lessons from webfinger may not apply since webfinger did not assume people owned the domain
 * Webfinger optimized for consumer, so didn't want to put the burden of DNS discovery on consumers

Dynamic (lack of) registration
 * Aaron TODO: require validation of redirect URIs for apps by client ID being the app's URL
 * OpenID did this with an XRDS doc

General feeling is if my site is pwned then I've got bigger problems

Goal should be to have the security no worse than current hosted wordpress security.