[OpenID] OpenID and trust

Avery Glasser aglasser at vxvsolutions.com
Sat Jan 13 20:15:58 UTC 2007


As one of the originators of the AQE - in an enterprise scenario, which is where AQE will be more likely consumed, the problem will be less solved by automated methods and more often by simply not being a promiscuous relying party. Enterprises will use whitelists to determine which OPs they trust.

The interesting and inevitable outcome of OpenID moving into the enterprise space is that as Enterprises push requirements out to OPs so that they can be "trusted" internally, these OPs will come together to create self-defined federations.

Now, this is where it gets interesting as a new class of firms will start to pop up - assertion auditors for a lack of better terms. It could be as simple as an OP declaring that they are part of the XYZ-Federation and providing the URI to the XYZ-Federation assertion auditor service that will confirm their membership. However, it could go as deep as being able to request how the user's address was confirmed (or any attribute) and being referred either to an internal policy statement or to an external assertion auditor service which confirms how the user's attribute was validated.

But it all comes down to trust. Either the enterprise will choose to trust specific OPs, or will choose to trust certain Assertion Auditors.

There was an interesting blog-thread on this from Paul Madsen, myself and others. You can start at http://activeanalysis.net/node/23 (registration required) or http://www.karmicjustice.org/2006/12/20/openid-and-promiscuity/ (no registration required) and work your way back.

- Avery

>Hi all,
>while I do understand that OpenID authentication is about
>authentication, not trust, the "higher" level specifiaction are about
>trust. Assertion Quality Extension is one of examples.
>"We acknowledge that, while none of the information expressed via this
>extension can be verified by the Relying Party in a technological
>fashion, this need not be viewed as an issue. The lack of an inherent
>trust model within OpenID allows for Relying Parties to decide which
>OPs they trust using whatever criteria they choose - likewise RPs will
>decide whether or not to trust claims as to authentication quality
>from such OPs as well."
>I don't quite get it. How can RP get information about OP's? I can
>write an spam-OP which will always return information, that user was
>authenticated using eg. token (even if it's not true).
>There are some solutions, but each one has some shortcomings:
>* "white lists/black list" -- but who will maintain them?
>* some "authority" -- possibly a non-profit organization of OP's,
>which checks if members are in fact enforcing policies of
>* "web of trust" -- if RP "A" trusts that OP "X" really uses token, OP
>"B" trusts OP "X" as well
>Any ideas?
>Best regards,
>Marcin Jagodziński
>general mailing list
>general at openid.net

Avery Glasser
VxV Solutions, Inc.

+ 1.415.992.7264 - office
+ 1.415.290.1400 - mobile
+ 1.415.651.9218 - fax

329 Bryant Street, Suite 2D
San Francisco, CA 94107

This e-mail (including any attachments), is confidential and intended only for the use of the addressee(s). It may contain information covered by legal, professional or other privilege. If you are not an addressee, please inform the sender immediately and destroy this e-mail. Do not copy, forward, use or disclose this e-mail. Thank you.

More information about the general mailing list