security

Dick Hardt dick at sxip.com
Mon Oct 23 01:53:44 UTC 2006 

On 22-Oct-06, at 3:03 PM, Alaric Dailey wrote:

> Ok...  If we look for a second at the talks that inspired me to  
> look at
> OpenID and Sxip
>
> http://www.identity20.com/media/OSCON2005/
> http://identity20.com/media/ETECH_2006/
>
> We find that one of the most interesting things in it is the claim  
> that its
> better than the other solutions because (paraphrasing) "its simple,  
> open and
> secure"
>
> Ok, we will ignore the fact that we are trusting someone elses  
> validation of
> a user for our site, which is a HUGE issue in tha case of sites  
> that really
> need to be secure.

For sites that really need to be secure, they may want a claim that  
strong authentication from a trusted vendor was used to authenticate  
the user. OpenID can support this.


> Let's turn our attention for the moment to fact that one
> of the benefits of OpenID is that the user gets to pick who they  
> share what
> data with.  Transmit that data unencrypted, and BOOM that choice is  
> gone.
> Don't secure the login pages with encryption, and BOOM, you put all  
> relying
> sites at risk.
>
> Now, if I am a potential membersite, I can't trust OpenID because I  
> know
> that encryption is optional, I also know that any data transmitted  
> to me
> unencrypted can not be trusted AT ALL because it could have been  
> modified
> en-route.

If you are an RP (Membersite) that is getting currently getting data  
from a form POST using HTTP, then you are in the same situation.


> Lastly without either mutual validation, or DNSSEC, I am not even  
> sure that
> I am connecting to the homesite I think, because of issues with DNS
> poisoning.

Agreed there

>
> Is OpenID/Identity 2.0 really a house of cards?  Giving nothing to  
> the world
> other than blogs and other useless sites a way to simplify their
> authentication?

Lots of people would consider those sites to be really useful! ...  
but that is off-topic. :-)

In 1994, people forecasting we would be doing online banking, but it  
was several years before that happened.

Similarly, I see OpenID being used in pretty straightforward  
applications initially, and then in more sensitive applications as  
the technology matures and it is understood.

There is a pretty straight forward extension mechanism for OpenID. I  
foresee the use of DNSSEC and PKI in the future with OpenID. Same  
general conversation, but with significantly more security.

In other words, we start with the low risk areas where a boo-boo  
won't be disastrous. We add layers of security over time and a site  
dials up the amount of security they require for their application.

Please have patience. We are all wanting the same thing. It is  
important to deal with the reality of who will deploy solutions like  
this today and get OpenID 2.0 out the door.

It would be great for you guys to help design extensions that are  
more secure for the future.

-- Dick

More information about the general mailing list