Identity in the Browser: Security and Protocol Issues

Convener: Jeff Hodges

Notes-taker: Breno de Medeiros

Tags: 

Identity in the Browser and other security topics related to active clients.

Discussion notes:

Items:
 * HTTP/S and browser approaches
 * New client approaches (active selectors?)
 * Automatic validation/ auditing

Server convergence of HTTP policy to client:
 * Content-Security Policy
 * Origin header
 * Cross-Origin resource sharing (W3C/HTML5)
 * Content-sniffing
 * Strict transport security (forced HTTPS)

Holder of key in a selector?
 * Access to keying material in shared
 * Binding of keyed material to transport (SRP)
 * Hard to do on sliced hosts …

Consistency for user
 * OP in popup box: easy to spoof?
 * Browser toolbar – privileged chrome
 * address bar must be displayed : what if it isn't?
 * Popup phishing whitelist/blacklist
 * If the RP could really know which id to use, the experience would be softer, but would the user understand?
 * How to best leverage a 2nd authentication setup step?