security

[Recordon, David]

Alaric,
I think both you and Dick are right.  Don't get me wrong, security is
very important to see anything like OpenID be adopted.  I think the
point Dick is trying to make is that security needs to scale depending
on context, or at least that is the point I'd try to make.

Starting with 2.0, or 1.2 whatever we end up calling it, I personally
would not use an Identity Provider which does not both host my
identifier and it's server endpoint via a valid SSL certificate.  There
are however use cases where SSL is not required, running OpenID solely
on an intranet for example, but for the majority of cases SSL is highly
recommended which I think the spec makes clear.  If it doesn't, please
let us know!

So I don't think security is binary, IMHO what is important is that the
spec makes it clear where the weaknesses are, how to protect them, and
recommends the use of things like valid SSL certificates for the entire
protocol flow.

--David

-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Alaric Dailey
Sent: Sunday, October 22, 2006 3:03 PM
To: general at openid.net
Subject: RE: security

Ok...  If we look for a second at the talks that inspired me to look at
OpenID and Sxip

http://www.identity20.com/media/OSCON2005/
http://identity20.com/media/ETECH_2006/

We find that one of the most interesting things in it is the claim that
its better than the other solutions because (paraphrasing) "its simple,
open and secure"

Ok, we will ignore the fact that we are trusting someone elses
validation of a user for our site, which is a HUGE issue in tha case of
sites that really need to be secure.  Let's turn our attention for the
moment to fact that one of the benefits of OpenID is that the user gets
to pick who they share what data with.  Transmit that data unencrypted,
and BOOM that choice is gone.
Don't secure the login pages with encryption, and BOOM, you put all
relying sites at risk.  

Now, if I am a potential membersite, I can't trust OpenID because I know
that encryption is optional, I also know that any data transmitted to me
unencrypted can not be trusted AT ALL because it could have been
modified en-route.

Lastly without either mutual validation, or DNSSEC, I am not even sure
that I am connecting to the homesite I think, because of issues with DNS
poisoning.

Is OpenID/Identity 2.0 really a house of cards?  Giving nothing to the
world other than blogs and other useless sites a way to simplify their
authentication?

After watching those two presentations I had really high expectations.

I think OpenID is a GREAT idea, but the responses I see to Eddy and I's
questions give me no comfort that it has been thought thru near as well
as those presentations would make it look.  At least not in terms of
making it secure, and without being secure, I don't see it being very
useful in this day and age.


Finally, if LiveJournal doesn't want to use SSL, especially with
low-cost and free SSL certs available, I have to wonder, why?  What is
reason?  Too cheap to buy cheap certs, lack of interest in their users
privacy? Maybe they only see their support of OpenID as a good PR move
and only want to put minimal effort into it.

In this day and age, with phishing, pharming, identity theft, spyware,
virus, and data compromises (like Citi bank and ChoicePoint)
authorization and authentication systems HAVE to be secure, what good
does it to otherwise?



-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Dick Hardt
Sent: Sunday, October 22, 2006 12:26 PM
To: Eddy Nigg (StartCom Ltd.)
Cc: general at openid.net
Subject: Re: security


On 22-Oct-06, at 10:01 AM, Eddy Nigg (StartCom Ltd.) wrote:

> Dick Hardt wrote:
>> Most sites moving sensitive user data use SSL. I predict that any IdP

>> that does not use SSL is an experimental IdP that is doing simple 
>> authorization.
> And what if not? There must be a clear answer....



>> User's have been educated that the little lock should appear on 
>> sensitive data, and will not want to do sensitive transactions 
>> without it being there.
> And what if not? What happens then?
>> There are many web applications that are not moving sensitive user 
>> data and do not need to employ SSL. Slashdot being an example.
>> Given their requirements, there is no need to force those potential 
>> RPs to support SSL. Supporting a security gradient is an important 
>> design choice in adoption of an identity due to the wide spectrum of 
>> security requirements of sites.
> Look, in my opinion there is no reason whatsoever NOT to require SSL. 
> I didn't heard one good argument for not requiring a minimum set of 
> security - of which SSL encryption certainly is. It's like you want to

> shoot yourself into the foot - instead of preparing for all 
> possibilities (including critics) the best it can get - without 
> requesting too much....Today SSL for a web site is affordable and easy

> to achieve. OpenID should return "unknown protocol, try https"
> for regular http requests...

There is no reason to force an RP that is not using SSL today to use it
with OpenID.
Do you think that Slashdot does not use SSL because they can't afford
it?
No, it is because it is not sensitive enough, and the performance
overhead of SSL is too high for the marginal benefit.

There is a case for the IdP to use SSL, but the biggest one right now,
Livejournal, does not support SSL and there was significant push back on
making it a requirement.

I think the market will dictate what is needed.

>
> Adoption of OpenID might be even higher with a minimal set of security

> related requirements, because it shows, that you thought about the 
> various other aspects - not just the geeky lets-make-it- work 
> standards. It is going to make this network much more serious in my 
> opinion. It will also send out a message, that this standard will not 
> just be for hobbyists and forum, blog logins, but it may extend and 
> expanded to more serious functions...

I completely agree that we need to communicate to people that these
issues where thought through.

>> 3rd party claims about the URI are out of scope of OpenID 
>> Authentication. OpenID Attribute Exchange enables moving those 
>> around. There is still work to be done on those specifications.
> Excellent! At which part(s) or papers should I look for these?

All the specs are here:
	http://openid.net/specs.bml

Discussion is on the specs at openid.net list.

-- Dick
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general