[OpenID] 2-Headed OpenID Auth for Increased Security?

George Fletcher gffletch at aol.com
Mon Dec 1 17:42:58 UTC 2008


Ben Laurie wrote:
>
>
> On Mon, Dec 1, 2008 at 4:11 PM, Nat Sakimura <sakimura at gmail.com 
> <mailto:sakimura at gmail.com>> wrote:
>
>     FYI, see 
>
>     http://wiki.oasis-open.org/xri/XrdOne/SimpleSign
>
>
> I have no idea why that proposes to use OAuth encoding for the 
> signature. Why not simply sign the document as is?
+1 (this is the approach taken by the SAML SimpleSign binding[1])

[1] http://wiki.oasis-open.org/security/SimpleSignBinding
>
> It also doesn't talk at all about how one gets to trust the signing 
> cert or who should sign what.
>
>
>     =nat
>
>     On Mon, Dec 1, 2008 at 10:41 PM, Ben Laurie <benl at google.com
>     <mailto:benl at google.com>> wrote:
>
>
>
>         On Mon, Dec 1, 2008 at 1:23 PM, Peter Williams
>         <pwilliams at rapattoni.com <mailto:pwilliams at rapattoni.com>> wrote:
>
>             Xrd or xrds?
>
>
>         XRD.
>          
>
>             Interesting! if you go xrd. Then you can do dnssec-like
>             namespace controls, much like the trusted resolution mode
>             of xri.
>
>
>         Not yet all that familar with fully blown XRD, so I'll have to
>         take your word for this - but I am familiar with DNSSEC, so
>         I'm wondering what you mean by a "namespace control"?
>          
>
>             Rather than be dnssec static, however, signatures on xrd
>             could also serve as security tokens, citable on the peer
>             (web) services ("managed" by the xri/uri). Butler lampson
>             will be in heaven.
>
>             ________________________________
>             From: Ben Laurie <benl at google.com <mailto:benl at google.com>>
>             Sent: Monday, December 01, 2008 5:13 AM
>             To: Peter Williams <pwilliams at rapattoni.com
>             <mailto:pwilliams at rapattoni.com>>
>             Cc: Eric Norman <ejnorman at doit.wisc.edu
>             <mailto:ejnorman at doit.wisc.edu>>; OpenID List
>             <general at openid.net <mailto:general at openid.net>>
>             Subject: Re: [OpenID] 2-Headed OpenID Auth for Increased
>             Security?
>
>
>
>             On Sun, Nov 30, 2008 at 5:56 PM, Peter Williams
>             <pwilliams at rapattoni.com
>             <mailto:pwilliams at rapattoni.com><mailto:pwilliams at rapattoni.com
>             <mailto:pwilliams at rapattoni.com>>> wrote:
>             Time to take the extension power of XRDS, and apply
>             xmldsig "detached signature(s)"
>
>             Signing XRD is pretty much what we're proposing for the
>             next generation...
>
>
>
>             This would be using similar mechanism as used in
>             Authenticode, where designers applied 3rd-party
>             countersigning and 4th-party timestamping to solve
>             validity problems - at internet scale. Different parties
>             (OP, discovery agents, validation) can then cooperate, in
>             the inherently suspicious world of open systems.
>
>             The Shib/Apache-xmltooling toolset has all the mechanisms
>             required to make power-use of the flexibility of the
>             xmldsig standard (as do many other tools). Being very,
>             very flexible in its references, it's easy to screw up
>             application of xmldsig, producing unwanted sideeffects tho.
>
>             -----Original Message-----
>             From: general-bounces at openid.net
>             <mailto:general-bounces at openid.net><mailto:general-bounces at openid.net
>             <mailto:general-bounces at openid.net>>
>             [mailto:general-bounces at openid.net
>             <mailto:general-bounces at openid.net><mailto:general-bounces at openid.net
>             <mailto:general-bounces at openid.net>>] On Behalf Of Eric Norman
>             Sent: Sunday, November 30, 2008 9:50 AM
>             To: OpenID List
>             Subject: Re: [OpenID] 2-Headed OpenID Auth for Increased
>             Security?
>
>
>             On Nov 30, 2008, at 9:35 AM, Andrew Arnott wrote:
>
>             > I like the idea.... but the XRDS would have to
>             mandatorily not be
>             > hosted by either OP (which right now is commonly done),
>             since that OP
>             > would still ultimately have total assertion power by
>             temporarily
>             > manipulating the XRDS file to point to two OP endpoints
>             that were both
>             > controlled by the evil party.
>
>             Be careful.  "Hosted by" does not necessarily imply "content
>             controlled by".
>
>             Eric Norman
>
>             _______________________________________________
>             general mailing list
>             general at openid.net
>             <mailto:general at openid.net><mailto:general at openid.net
>             <mailto:general at openid.net>>
>             http://openid.net/mailman/listinfo/general
>             _______________________________________________
>             general mailing list
>             general at openid.net
>             <mailto:general at openid.net><mailto:general at openid.net
>             <mailto:general at openid.net>>
>             http://openid.net/mailman/listinfo/general
>
>
>
>         _______________________________________________
>         general mailing list
>         general at openid.net <mailto:general at openid.net>
>         http://openid.net/mailman/listinfo/general
>
>
>
>
>     -- 
>     Nat Sakimura (=nat)
>     http://www.sakimura.org/en/
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>   

-- 
Chief Architect                   AIM:  gffletch
Identity Services                 Work: george.fletcher at corp.aol.com
AOL LLC                           Home: gffletch at aol.com
Mobile: +1-703-462-3494           
Office: +1-703-265-2544           Blog: http://practicalid.blogspot.com




More information about the general mailing list