Specifying identifier recycling
Recordon, David
drecordon at verisign.com
Sun Jun 3 00:14:36 UTC 2007
> Overall, I'm not sure we are ready in this community to pick one
> alternative over another as "the standards". I have my views,
> (many) others have (many) others -- and I don't think that any
> of this has to be in an Authentication 1.x (x>1) or 2.0 spec,
> whatever it will be. This seems like a clean add-on.
I also agree with Johannes here. I'd like to see this written as an
extension so that if the first approach doesn't work, the Auth spec
itself doesn't have to be "reverted. Rather we can finish 2.0 and try
implementing different approaches before deciding on the final way to
solve this problem.
SREG shows how 1.1 can be extended, 2.0 clarifies this mechanism and
makes it more robust, let's take advantage of it especially given that
not all providers require this feature (whether via fragments or public
keys).
--David
-----Original Message-----
From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On
Behalf Of Johannes Ernst
Sent: Wednesday, May 30, 2007 10:30 PM
To: OpenID specs list
Subject: Re: Specifying identifier recycling
If we cannot assume that nobody manages to obtain a secret they
should not have gotten in the first place, then OpenID as it stands
is rather useless as we cannot trust its authentication scheme.
Note that the surface through which the D-H shared secret can escape
is about twice as large as the surface through which a private key
can escape -- because an RP does not have access to the private key.
In other words, if I was an attacker, I'd go after a lot of things
first before I'd try to obtain a private key.
Note also that public keys would make rather good i-numbers -- for
those who would like to, they can ignore that they are public keys
and do i-number-based verification only, because they are simply
numbers. For those who don't care about i-numbers, they use their
public key aspects. Win-win, perhaps?
There is also the case -- which Stefan Brands would undoubtedly bring
up if he was on this list -- that the IdP may be hostile, or may
become hostile. (think of, say, a large OpenID provider going out of
business, and being bought out by spammer.com -- or just the domain
name whose registration lapsed) A scheme that is public key based is
inherently more resilient towards this than one that is not. You
certainly don't want to trust spammer.com to honor whatever
conventions the previous owner of the domain put in place to
disambiguate their users.
--
Overall, I'm not sure we are ready in this community to pick one
alternative over another as "the standards". I have my views, (many)
others have (many) others -- and I don't think that any of this has
to be in an Authentication 1.x (x>1) or 2.0 spec, whatever it will
be. This seems like a clean add-on.
On May 30, 2007, at 22:01, Drummond Reed wrote:
> Johannes:
>
> What about the point Dick posted earlier in this thread, that the
> problem
> with using a public key is if the private key gets compromised?
> Persistent
> identifiers need to persist independent of any attribute changing
> or being
> revoked.
>
> =Drummond
>
> -----Original Message-----
> From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On
> Behalf
> Of Johannes Ernst
> Sent: Wednesday, May 30, 2007 9:54 PM
> To: OpenID specs list
> Subject: Re: Specifying identifier recycling
>
>
> On May 30, 2007, at 21:02, Johnny Bufu wrote:
>
>> ...The bottom line is
>> that it can't be done easily - a mechanism similar to XRI's canonical
>> ID verification would have to be employed, to confirm that the i-
>> number actually 'belongs' to the URL on which discovery was
>> initiated. (Otherwise anyone could put any i-number in their URL-
>> based XRDS files.)
>
> Public keys ... public keys ... with the added benefit that no
> centralized or trusted verification service needs to be employed
> whatsoever ...
>
>
>
>
> Johannes Ernst
> NetMesh Inc.
>
>
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
_______________________________________________
specs mailing list
specs at openid.net
http://openid.net/mailman/listinfo/specs
More information about the specs
mailing list