[OpenID] [from Marketing] I object to OpenID whitelists

Peter Williams pwilliams at rapattoni.com
Thu Jul 5 01:42:42 UTC 2007 

I've seen two strands of thought expressed, on two different issues that
seem to articulate the underlying questions you seem to be posing. I add
a commentary issue, attempting to advance the conceptual analysis. I
also summarize an experiment we used to explore this evolving conceptual
framework. We draw 2 conclusions that the community may decide to use
when improving the openid authentication protocol v2.

-----------------

Issue 1: Which providers shall a trust point "accept"? Some think that
the consumer agent associated with a trust point shall accept any and
all providers. Others think that the agent supporting the trust point
shall enforce a security policy limiting via such as black/white lists
the providers with whom it is authorized to establish
openid-associations.

Issue 2: When a trust-point-authorized provider provides a claim that a
given user "controls" a given OP, should a provider assert a "strength
of claim"? Some think that there is no explicit signal communicating the
strength of this claim (e.g. a provider confirmed user control via
2-factor technique, rather than biometric technique, and as opposed to
weak password technique) as the strength-signal is implied by the
assurance level of the provider as beheld by the trust point. Others
think that assurance of provider is independent of strength of claim,
and thus strength requires a field for communicating the id of the
technique the provider used to confirm "user's control over an OP".

Issue3: On experimenting practically with the JanRain server/consumer
.NET portals with colleagues at http://www.scardsoft.com, we aimed to
distinguish several concepts. We designed and then built an experimental
apparatus that would distinguish (1) "user authentication strength" (aka
OP control strength, in OpenID terminology) (2) a provider's assurance
level, and (3) receiver confidence (aka degree of reliance, in OpenID
terminology).

In experimenting with issue 3, we built an apparatus in which the user
authentication portion of the JanRain provider portal was removed, and
replaced with an HTTP redirect-based protocol accessing a distinct
webapp which performed the activities of user authentication. We used
smartcard authentication over the web between browser and webapp; albeit
merely collecting the ATR of the smartcard presented, rather than
performing a more proper Consumer->card crypto-authentication sequence
using a creditable card-authentication protocol. The apparatus then
communicated the smartcard's ATR to the JanRain provider process, acting
as a signal of authentication strength (strength of "OP control"). This
value was then added to the attributes sent back to the Consumer, being
carefully distinguished from those requested by the consumer. The
consumer then evaluates confidence level in the webSSO act by
calculating a metric over {assurance level of the provider(from id of
provider), strength of the user authentication (from ATR), the perceived
quality of the OP (from the domain-name registrars or XRI proxies used
in the OP).

2 conclusions might be drawn from this experiment, given the issue
analysis. First, the OpenID protocol might formalize in specification
how OP provider shall interface in standard manners with OP-specific
authentication providers (e.g. specify a redirect binding). Secondly,
the OpenID Authentication protocol might specify the syntax and
semantics of the field to be used between these two providers to signal
OP control strength (strength of user authentication) and a similar
field for use in communicating the same value between OP provider and
consumer.

Peter.
-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Meng Weng Wong
Sent: Tuesday, July 03, 2007 2:38 PM
To: general at openid.net
Subject: [OpenID] [from Marketing] I object to OpenID whitelists

Hi everyone, we're moving a thread about OpenID whitelists/blacklists/ 
reputation over from the Marketing list.

Mark Atwood has posted some excellent substance, below.

With luck, this discussion will uncover assumptions and scenarios  
that can inform our evolving paradigm.

On a less philosophical level, I will stay alert to use cases,  
requirements, and design principles that may inform new system  
architectures and software.

I have been involved in authentication and reputation since 2003.  I  
hope to eventually contribute white papers and diagrams to help  
advance this conversation.



On Jul 3, 2007, at 11:37 AM, Mark Atwood wrote:

> Meng Weng Wong <mengwong at pobox.com> writes:
>>>
>> Hey everyone, I just subscribed to all the mailing lists.  I have
>> some cycles free to contribute to the community now and I want to
>> start with whitelists.
>
> I dislike whitelists for OpenID.
>
> Because I run my own OpenID server just for myself, as I suspect many
> of the more sophisticated OpenID users will.  And the spread of
> whitelists will make doing that impossible.
>
> If someone is truely worried about their OpenID provider turning evil,
> running one's own is an option, and presently is an easy option.
>
> If I have to worry about me stealing my own online identity,
> and then me going around pretending to me,
> I have much bigger problems than just data security protocols...
>
>
> I can see a use for whitelists for a few cases, such as a whitelist
> of OpenID providers that can make legally valid statements about
> the legal name and age of the person, for sites that want age  
> verification.
>
> Or a whitelist of OpenID providers who provide true two-factor
> hardware auth, such that can be trusted by a bank.
>
> (Right now, the first whitelist has only one member, and the second  
> one
> is empty.)
>
> But a whitelist of "well known OpenID providers", brings nothing of
> value to OpenID, and in fact, *removes* value from the system.
>
> -- 
> Mark Atwood                 When you do things right, people won't  
> be sure
> me at mark.atwood.name         you've done anything at all.
> http://mark.atwood.name/   http://fallenpegasus.livejournal.com/

_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list