[OpenID] Trust + Security @ OpenID

Peter Williams pwilliams at rapattoni.com
Sat Jul 7 04:57:59 UTC 2007 

In my analysis:-
 
1. We are at the "shall OpenID2.0 be adopted" point. Its therefore appropriate to be scrutinizing carefully the rationales and claims associated with YADIS and non-URL naming servers and resolvers. After all, these properties and features had little or nothing to do with what made OpenID1.x successful. Dumping the URL for the theory of XRIs is a dangerous political move! Not everyone may recall one of Steve Crocker's (Mr RFC 1) punch lines, used during the early .com era: the proof that the Internet has indeed (finally) arrived is manifest by looking at even Madison Av billboard advertisements: look at those URLs, folks!
 
2. We should also be asking: "is OpenID - a means of proving one owns an identity URI - also technically suitable for authenticating the channels enforcing privacy and other sharing policies"? This is by no means clear to me, yet. OpenID Exchange is NOT a community "endorsed" spec, lets note (thankfully!)
 
3. We also have to look increasingly carefully at the exposition of the core design philosophy. If one evaluates the primary claim of the movement - as one day a Common Criteria evaluator MUST - then we see that "Opened is completely decentralized meaning that anyone can choose to be a Consumer or Identity Provider without having to register or be approved by any central authority" is a somewhat "vacuous" central claim The same is true for PKI, in practice. The same is true for SAML, in practice. The same is true for SSL, in practice. The same is true for inter-domain web cookies achieving SSO, in practice. Its even true for federation-centric schemes like Shibolleth, that also admit and greatly benefit from bilateral optouts by site from the centralized policy management regimes. So... So what! OpenID?
 
 
________________________________

From: general-bounces at openid.net on behalf of Eddy Nigg (StartCom Ltd.)
Sent: Fri 7/6/2007 3:01 PM
To: general at openid.net
Subject: [OpenID] Trust + Security @ OpenID


Hi All,

Last year I was subscribed to this and some other mailing lists at OpenID. Some progress has been made since last year and my thoughts on this subject are here: https://blog.startcom.org/?p=20
However it seems to me, that after browsing through the archive for a while, that the same issues (I raised last year already) seem to come up again and again at this forum: That of trust and security. We've been through all these discussions already various times...with no results! But it also seems to me, that there are people willing to offer ideas and solutions, about how to allow relying parties to trust and actually rely on OpenID providers.  (I wonder why the OpenID Foundation and its members refrain from addressing this critical issue! Is it on purpose and by design? I think there are many on this list who would like get an answer on this from one of the board members.)

Nevertheless, since the OpenID framework is open and can be extended to solve the problems in question, the interested participants and parties might try to solve them without waiting for anybody...ideas, suggestions?


-- 

Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Jabber:      startcom at startcom.org
Phone:       +1.213.341.0390

More information about the general mailing list