[OpenID] 2-Headed OpenID Auth for Increased Security?

Nat Sakimura sakimura at gmail.com
Mon Dec 1 16:11:32 UTC 2008


FYI, see
http://wiki.oasis-open.org/xri/XrdOne/SimpleSign

=nat

On Mon, Dec 1, 2008 at 10:41 PM, Ben Laurie <benl at google.com> wrote:

>
>
> On Mon, Dec 1, 2008 at 1:23 PM, Peter Williams <pwilliams at rapattoni.com>wrote:
>
>> Xrd or xrds?
>
>
> XRD.
>
>
>> Interesting! if you go xrd. Then you can do dnssec-like namespace
>> controls, much like the trusted resolution mode of xri.
>
>
> Not yet all that familar with fully blown XRD, so I'll have to take your
> word for this - but I am familiar with DNSSEC, so I'm wondering what you
> mean by a "namespace control"?
>
>
>> Rather than be dnssec static, however, signatures on xrd could also serve
>> as security tokens, citable on the peer (web) services ("managed" by the
>> xri/uri). Butler lampson will be in heaven.
>>
>> ________________________________
>> From: Ben Laurie <benl at google.com>
>> Sent: Monday, December 01, 2008 5:13 AM
>> To: Peter Williams <pwilliams at rapattoni.com>
>> Cc: Eric Norman <ejnorman at doit.wisc.edu>; OpenID List <general at openid.net
>> >
>> Subject: Re: [OpenID] 2-Headed OpenID Auth for Increased Security?
>>
>>
>>
>> On Sun, Nov 30, 2008 at 5:56 PM, Peter Williams <pwilliams at rapattoni.com
>> <mailto:pwilliams at rapattoni.com>> wrote:
>> Time to take the extension power of XRDS, and apply xmldsig "detached
>> signature(s)"
>>
>> Signing XRD is pretty much what we're proposing for the next generation...
>>
>>
>>
>> This would be using similar mechanism as used in Authenticode, where
>> designers applied 3rd-party countersigning and 4th-party timestamping to
>> solve validity problems - at internet scale. Different parties (OP,
>> discovery agents, validation) can then cooperate, in the inherently
>> suspicious world of open systems.
>>
>> The Shib/Apache-xmltooling toolset has all the mechanisms required to make
>> power-use of the flexibility of the xmldsig standard (as do many other
>> tools). Being very, very flexible in its references, it's easy to screw up
>> application of xmldsig, producing unwanted sideeffects tho.
>>
>> -----Original Message-----
>> From: general-bounces at openid.net<mailto:general-bounces at openid.net>
>> [mailto:general-bounces at openid.net<mailto:general-bounces at openid.net>] On
>> Behalf Of Eric Norman
>> Sent: Sunday, November 30, 2008 9:50 AM
>> To: OpenID List
>> Subject: Re: [OpenID] 2-Headed OpenID Auth for Increased Security?
>>
>>
>> On Nov 30, 2008, at 9:35 AM, Andrew Arnott wrote:
>>
>> > I like the idea.... but the XRDS would have to mandatorily not be
>> > hosted by either OP (which right now is commonly done), since that OP
>> > would still ultimately have total assertion power by temporarily
>> > manipulating the XRDS file to point to two OP endpoints that were both
>> > controlled by the evil party.
>>
>> Be careful.  "Hosted by" does not necessarily imply "content
>> controlled by".
>>
>> Eric Norman
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net<mailto:general at openid.net>
>> http://openid.net/mailman/listinfo/general
>> _______________________________________________
>> general mailing list
>> general at openid.net<mailto:general at openid.net>
>> http://openid.net/mailman/listinfo/general
>>
>>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>


-- 
Nat Sakimura (=nat)
http://www.sakimura.org/en/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081202/4019ec78/attachment-0002.htm>


More information about the general mailing list