[OpenID] 2-Headed OpenID Auth for Increased Security?
Nat
sakimura at gmail.com
Tue Dec 2 22:23:26 UTC 2008
If you could point me to the patent, I would very much appreciate it.
=nat at TOKYO via iPhone
On 2008/12/03, at 1:23, Peter Williams <pwilliams at rapattoni.com> wrote:
> Name reuse controls by CAs are standard audit criteria. In the pki
> area, there are patent issues, here (which may well apply to openid
> fragments...)
>
> ________________________________
> From: Nat Sakimura <sakimura at gmail.com>
> Sent: Tuesday, December 02, 2008 8:16 AM
> To: Peter Williams <pwilliams at rapattoni.com>
> Cc: George Fletcher <gffletch at aol.com>; OpenID List <general at openid.net
> >
> Subject: Re: [OpenID] 2-Headed OpenID Auth for Increased Security?
>
> Well, I looked at SAML Simple Sign before putting this tag-value-
> izing thing. This portion is very sketchy right now and I am not
> even sure if I will keep it. However, I wanted to examine the
> programing ease and extensibility etc. before discarding it
> especially when we consider the fact that we do not want to parse
> the XRD as row string but as validated XML and process after it.
>
> The point I wanted to illustrate was however not this. The current
> proposal has <CertURI> inside XRD.
> The cert that is pointed by this CertURI must have
> SubjectUniqueIdentifier which is equal to the <CanonicalID>. The
> certificate authority MUST guarantee that SubjectUniqueIdentifier
> will never be reassigned to another subject. Beside the usual
> checking of the cert for validity (including whether the root is
> trustworthy from the point of view of the community etc.), the user
> of this XRD checks if they are equal.
> This gives insurance against domain loss/change.
>
> For the original flow that David came up with, see my slide from the
> last iiw[1] slide 6.
> This is the same as what David illustrated, I think.
>
> [1] http://www.slideshare.net/nat_sakimura/introduction-to-openid-tx-proposed-extension-presentation
>
> =nat
>
> On Tue, Dec 2, 2008 at 2:56 AM, Peter Williams <pwilliams at rapattoni.com
> <mailto:pwilliams at rapattoni.com>> wrote:
> Every time I see oauth, I worry / as the document can only be
> verified by closed system parties. While this is one means to
> loading in a trust model to discovery, this was not the control we
> were seeking to implement. We want trust out of the equation in
> openid: to be added separately.
>
> What openid needs is a open systems signing model for an xrd (just
> as saml-sigs already do for xrd in the trusted resolution of an xri)
> ( by default) - eg xmldsig. I've no objection to xmldsig using both
> certs (for open systems) AND oauth (for closed system overlays) for
> key management.
>
> -----Original Message-----
> From: George Fletcher <gffletch at aol.com<mailto:gffletch at aol.com>>
> Sent: Monday, December 01, 2008 9:43 AM
> To: OpenID List <general at openid.net<mailto:general at openid.net>>
> Subject: Re: [OpenID] 2-Headed OpenID Auth for Increased Security?
>
>
> Ben Laurie wrote:
>>
>>
>> On Mon, Dec 1, 2008 at 4:11 PM, Nat Sakimura <sakimura at gmail.com<mailto:sakimura at gmail.com
>> >
>> <mailto:sakimura at gmail.com<mailto:sakimura at gmail.com>>> wrote:
>>
>> FYI, see
>>
>> http://wiki.oasis-open.org/xri/XrdOne/SimpleSign
>>
>>
>> I have no idea why that proposes to use OAuth encoding for the
>> signature. Why not simply sign the document as is?
> +1 (this is the approach taken by the SAML SimpleSign binding[1])
>
> [1] http://wiki.oasis-open.org/security/SimpleSignBinding
>>
>> It also doesn't talk at all about how one gets to trust the signing
>> cert or who should sign what.
>>
>>
>> =nat
>>
>> On Mon, Dec 1, 2008 at 10:41 PM, Ben Laurie <benl at google.com<mailto:benl at google.com
>> >
>> <mailto:benl at google.com<mailto:benl at google.com>>> wrote:
>>
>>
>>
>> On Mon, Dec 1, 2008 at 1:23 PM, Peter Williams
>> <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com> <mailto:pwilliams at rapattoni.com
>> <mailto:pwilliams at rapattoni.com>>> wrote:
>>
>> Xrd or xrds?
>>
>>
>> XRD.
>>
>>
>> Interesting! if you go xrd. Then you can do dnssec-like
>> namespace controls, much like the trusted resolution mode
>> of xri.
>>
>>
>> Not yet all that familar with fully blown XRD, so I'll have to
>> take your word for this - but I am familiar with DNSSEC, so
>> I'm wondering what you mean by a "namespace control"?
>>
>>
>> Rather than be dnssec static, however, signatures on xrd
>> could also serve as security tokens, citable on the peer
>> (web) services ("managed" by the xri/uri). Butler lampson
>> will be in heaven.
>>
>> ________________________________
>> From: Ben Laurie
>> <benl at google.com<mailto:benl at google.com> <mailto:benl at google.com<mailto:benl at google.com
>> >>>
>> Sent: Monday, December 01, 2008 5:13 AM
>> To: Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com
>> >
>> <mailto:pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com
>> >>>
>> Cc: Eric Norman <ejnorman at doit.wisc.edu<mailto:ejnorman at doit.wisc.edu
>> >
>> <mailto:ejnorman at doit.wisc.edu<mailto:ejnorman at doit.wisc.edu
>> >>>; OpenID List
>> <general at openid.net<mailto:general at openid.net> <mailto:general at openid.net
>> <mailto:general at openid.net>>>
>> Subject: Re: [OpenID] 2-Headed OpenID Auth for Increased
>> Security?
>>
>>
>>
>> On Sun, Nov 30, 2008 at 5:56 PM, Peter Williams
>> <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>
>> <mailto:pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com
>> >><mailto:pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>
>> <mailto:pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com
>> >>>> wrote:
>> Time to take the extension power of XRDS, and apply
>> xmldsig "detached signature(s)"
>>
>> Signing XRD is pretty much what we're proposing for the
>> next generation...
>>
>>
>>
>> This would be using similar mechanism as used in
>> Authenticode, where designers applied 3rd-party
>> countersigning and 4th-party timestamping to solve
>> validity problems - at internet scale. Different parties
>> (OP, discovery agents, validation) can then cooperate, in
>> the inherently suspicious world of open systems.
>>
>> The Shib/Apache-xmltooling toolset has all the mechanisms
>> required to make power-use of the flexibility of the
>> xmldsig standard (as do many other tools). Being very,
>> very flexible in its references, it's easy to screw up
>> application of xmldsig, producing unwanted sideeffects
>> tho.
>>
>> -----Original Message-----
>> From: general-bounces at openid.net<mailto:general-bounces at openid.net
>> >
>> <mailto:general-bounces at openid.net<mailto:general-bounces at openid.net
>> >><mailto:general-bounces at openid.net<mailto:general-bounces at openid.net
>> >
>> <mailto:general-bounces at openid.net<mailto:general-bounces at openid.net
>> >>>
>> [mailto:general-bounces at openid.net<mailto:general-bounces at openid.net
>> >
>> <mailto:general-bounces at openid.net<mailto:general-bounces at openid.net
>> >><mailto:general-bounces at openid.net<mailto:general-bounces at openid.net
>> >
>> <mailto:general-bounces at openid.net<mailto:general-bounces at openid.net
>> >>>] On Behalf Of Eric Norman
>> Sent: Sunday, November 30, 2008 9:50 AM
>> To: OpenID List
>> Subject: Re: [OpenID] 2-Headed OpenID Auth for Increased
>> Security?
>>
>>
>> On Nov 30, 2008, at 9:35 AM, Andrew Arnott wrote:
>>
>>> I like the idea.... but the XRDS would have to
>> mandatorily not be
>>> hosted by either OP (which right now is commonly done),
>> since that OP
>>> would still ultimately have total assertion power by
>> temporarily
>>> manipulating the XRDS file to point to two OP endpoints
>> that were both
>>> controlled by the evil party.
>>
>> Be careful. "Hosted by" does not necessarily imply
>> "content
>> controlled by".
>>
>> Eric Norman
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net<mailto:general at openid.net>
>> <mailto:general at openid.net<mailto:general at openid.net>><mailto:general at openid.net
>> <mailto:general at openid.net>
>> <mailto:general at openid.net<mailto:general at openid.net>>>
>> http://openid.net/mailman/listinfo/general
>> _______________________________________________
>> general mailing list
>> general at openid.net<mailto:general at openid.net>
>> <mailto:general at openid.net<mailto:general at openid.net>><mailto:general at openid.net
>> <mailto:general at openid.net>
>> <mailto:general at openid.net<mailto:general at openid.net>>>
>> http://openid.net/mailman/listinfo/general
>>
>>
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net<mailto:general at openid.net> <mailto:general at openid.net
>> <mailto:general at openid.net>>
>> http://openid.net/mailman/listinfo/general
>>
>>
>>
>>
>> --
>> Nat Sakimura (=nat)
>> http://www.sakimura.org/en/
>>
>>
>> ---
>> ---------------------------------------------------------------------
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net<mailto:general at openid.net>
>> http://openid.net/mailman/listinfo/general
>>
>
> --
> Chief Architect AIM: gffletch
> Identity Services Work: george.fletcher at corp.aol.com<mailto:george.fletcher at corp.aol.com
> >
> AOL LLC Home: gffletch at aol.com<mailto:gffletch at aol.com
> >
> Mobile: +1-703-462-3494
> Office: +1-703-265-2544 Blog: http://
> practicalid.blogspot.com
>
> _______________________________________________
> general mailing list
> general at openid.net<mailto:general at openid.net>
> http://openid.net/mailman/listinfo/general
> _______________________________________________
> general mailing list
> general at openid.net<mailto:general at openid.net>
> http://openid.net/mailman/listinfo/general
>
>
>
> --
> Nat Sakimura (=nat)
> http://www.sakimura.org/en/
More information about the general
mailing list