[OpenID] 2-Headed OpenID Auth for Increased Security?

Nat Sakimura sakimura at gmail.com
Tue Dec 2 16:16:43 UTC 2008


Well, I looked at SAML Simple Sign before putting this tag-value-izing
thing. This portion is very sketchy right now and I am not even sure if I
will keep it. However, I wanted to examine the programing ease and
extensibility etc. before discarding it especially when we consider the fact
that we do not want to parse the XRD as row string but as validated XML and
process after it.
The point I wanted to illustrate was however not this. The current proposal
has <CertURI> inside XRD.
The cert that is pointed by this CertURI must have SubjectUniqueIdentifier
which is equal to the <CanonicalID>. The certificate authority MUST
guarantee that SubjectUniqueIdentifier will never be reassigned to another
subject. Beside the usual checking of the cert for validity (including
whether the root is trustworthy from the point of view of the community
etc.), the user of this XRD checks if they are equal.
This gives insurance against domain loss/change.

For the original flow that David came up with, see my slide from the last
iiw[1] slide 6.
This is the same as what David illustrated, I think.

[1]
http://www.slideshare.net/nat_sakimura/introduction-to-openid-tx-proposed-extension-presentation

=nat

On Tue, Dec 2, 2008 at 2:56 AM, Peter Williams <pwilliams at rapattoni.com>wrote:

> Every time I see oauth, I worry / as the document can only be verified by
> closed system parties. While this is one means to loading in a trust model
> to discovery, this was not the control we were seeking to implement. We want
> trust out of the equation in openid: to be added separately.
>
> What openid needs is a open systems signing model for an xrd (just as
> saml-sigs already do for xrd in the trusted resolution of an xri) ( by
> default) - eg xmldsig. I've no objection to xmldsig using both certs (for
> open systems) AND oauth (for closed system overlays) for key management.
>
> -----Original Message-----
> From: George Fletcher <gffletch at aol.com>
> Sent: Monday, December 01, 2008 9:43 AM
> To: OpenID List <general at openid.net>
> Subject: Re: [OpenID] 2-Headed OpenID Auth for Increased Security?
>
>
> Ben Laurie wrote:
> >
> >
> > On Mon, Dec 1, 2008 at 4:11 PM, Nat Sakimura <sakimura at gmail.com
> > <mailto:sakimura at gmail.com>> wrote:
> >
> >     FYI, see
> >
> >     http://wiki.oasis-open.org/xri/XrdOne/SimpleSign
> >
> >
> > I have no idea why that proposes to use OAuth encoding for the
> > signature. Why not simply sign the document as is?
> +1 (this is the approach taken by the SAML SimpleSign binding[1])
>
> [1] http://wiki.oasis-open.org/security/SimpleSignBinding
> >
> > It also doesn't talk at all about how one gets to trust the signing
> > cert or who should sign what.
> >
> >
> >     =nat
> >
> >     On Mon, Dec 1, 2008 at 10:41 PM, Ben Laurie <benl at google.com
> >     <mailto:benl at google.com>> wrote:
> >
> >
> >
> >         On Mon, Dec 1, 2008 at 1:23 PM, Peter Williams
> >         <pwilliams at rapattoni.com <mailto:pwilliams at rapattoni.com>>
> wrote:
> >
> >             Xrd or xrds?
> >
> >
> >         XRD.
> >
> >
> >             Interesting! if you go xrd. Then you can do dnssec-like
> >             namespace controls, much like the trusted resolution mode
> >             of xri.
> >
> >
> >         Not yet all that familar with fully blown XRD, so I'll have to
> >         take your word for this - but I am familiar with DNSSEC, so
> >         I'm wondering what you mean by a "namespace control"?
> >
> >
> >             Rather than be dnssec static, however, signatures on xrd
> >             could also serve as security tokens, citable on the peer
> >             (web) services ("managed" by the xri/uri). Butler lampson
> >             will be in heaven.
> >
> >             ________________________________
> >             From: Ben Laurie <benl at google.com <mailto:benl at google.com>>
> >             Sent: Monday, December 01, 2008 5:13 AM
> >             To: Peter Williams <pwilliams at rapattoni.com
> >             <mailto:pwilliams at rapattoni.com>>
> >             Cc: Eric Norman <ejnorman at doit.wisc.edu
> >             <mailto:ejnorman at doit.wisc.edu>>; OpenID List
> >             <general at openid.net <mailto:general at openid.net>>
> >             Subject: Re: [OpenID] 2-Headed OpenID Auth for Increased
> >             Security?
> >
> >
> >
> >             On Sun, Nov 30, 2008 at 5:56 PM, Peter Williams
> >             <pwilliams at rapattoni.com
> >             <mailto:pwilliams at rapattoni.com><mailto:
> pwilliams at rapattoni.com
> >             <mailto:pwilliams at rapattoni.com>>> wrote:
> >             Time to take the extension power of XRDS, and apply
> >             xmldsig "detached signature(s)"
> >
> >             Signing XRD is pretty much what we're proposing for the
> >             next generation...
> >
> >
> >
> >             This would be using similar mechanism as used in
> >             Authenticode, where designers applied 3rd-party
> >             countersigning and 4th-party timestamping to solve
> >             validity problems - at internet scale. Different parties
> >             (OP, discovery agents, validation) can then cooperate, in
> >             the inherently suspicious world of open systems.
> >
> >             The Shib/Apache-xmltooling toolset has all the mechanisms
> >             required to make power-use of the flexibility of the
> >             xmldsig standard (as do many other tools). Being very,
> >             very flexible in its references, it's easy to screw up
> >             application of xmldsig, producing unwanted sideeffects tho.
> >
> >             -----Original Message-----
> >             From: general-bounces at openid.net
> >             <mailto:general-bounces at openid.net><mailto:
> general-bounces at openid.net
> >             <mailto:general-bounces at openid.net>>
> >             [mailto:general-bounces at openid.net
> >             <mailto:general-bounces at openid.net><mailto:
> general-bounces at openid.net
> >             <mailto:general-bounces at openid.net>>] On Behalf Of Eric
> Norman
> >             Sent: Sunday, November 30, 2008 9:50 AM
> >             To: OpenID List
> >             Subject: Re: [OpenID] 2-Headed OpenID Auth for Increased
> >             Security?
> >
> >
> >             On Nov 30, 2008, at 9:35 AM, Andrew Arnott wrote:
> >
> >             > I like the idea.... but the XRDS would have to
> >             mandatorily not be
> >             > hosted by either OP (which right now is commonly done),
> >             since that OP
> >             > would still ultimately have total assertion power by
> >             temporarily
> >             > manipulating the XRDS file to point to two OP endpoints
> >             that were both
> >             > controlled by the evil party.
> >
> >             Be careful.  "Hosted by" does not necessarily imply "content
> >             controlled by".
> >
> >             Eric Norman
> >
> >             _______________________________________________
> >             general mailing list
> >             general at openid.net
> >             <mailto:general at openid.net><mailto:general at openid.net
> >             <mailto:general at openid.net>>
> >             http://openid.net/mailman/listinfo/general
> >             _______________________________________________
> >             general mailing list
> >             general at openid.net
> >             <mailto:general at openid.net><mailto:general at openid.net
> >             <mailto:general at openid.net>>
> >             http://openid.net/mailman/listinfo/general
> >
> >
> >
> >         _______________________________________________
> >         general mailing list
> >         general at openid.net <mailto:general at openid.net>
> >         http://openid.net/mailman/listinfo/general
> >
> >
> >
> >
> >     --
> >     Nat Sakimura (=nat)
> >     http://www.sakimura.org/en/
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > general mailing list
> > general at openid.net
> > http://openid.net/mailman/listinfo/general
> >
>
> --
> Chief Architect                   AIM:  gffletch
> Identity Services                 Work: george.fletcher at corp.aol.com
> AOL LLC                           Home: gffletch at aol.com
> Mobile: +1-703-462-3494
> Office: +1-703-265-2544           Blog: http://practicalid.blogspot.com
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>



-- 
Nat Sakimura (=nat)
http://www.sakimura.org/en/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081203/5ab4ece6/attachment-0002.htm>


More information about the general mailing list