[OpenID] Trust + Security @ OpenID

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Sat Jul 7 22:59:02 UTC 2007 

Hi Peter,

I want to concentrate on the third part, which doesn't mean, that what 
you said in the first two is less important. Just the third section 
interests me most ;-)

Peter Williams wrote:
> 3. We also have to look increasingly carefully at the exposition of the core design philosophy. If one evaluates the primary claim of the movement - as one day a Common Criteria evaluator MUST - then we see that "Opened is completely decentralized meaning that anyone can choose to be a Consumer or Identity Provider without having to register or be approved by any central authority" is a somewhat "vacuous" central claim The same is true for PKI, in practice. The same is true for SAML, in practice. The same is true for SSL, in practice. The same is true for inter-domain web cookies achieving SSO, in practice. Its even true for federation-centric schemes like Shibolleth, that also admit and greatly benefit from bilateral optouts by site from the centralized policy management regimes. So... So what! OpenID?
>   
Let me pick your PKI example, since I'm most familiar with it. PKI is 
decentralized in theory, since everybody can operate a certification 
authority (CA) and issue certificates. Self-signed x.509 certificates 
are most common. In practice however software vendors (OS, browser, mail 
clients) are the supervisors - mostly through a third party audit 
requirement. However this practice has come a long way from the Netscape 
days of a monopoly on digital certification by Verisign and later 
Thawte, through the somewhat opening by Microsoft's Internet Explorer up 
to today, where the North-American Webtrust isn't the only governing 
body anymore - with much help from Mozilla.

OpenID is currently completely decentralized and no requirements are set 
by anybody (yet). When comparing to PKI, anyone can run his own "CA" in 
the OpenID world. Like Cardspace and self-run IDPs, they are effectively 
like self-signed certificates. A relying party can choose to trust them 
but nothing has been verified or guarantied in any form (not even the 
integrity of the authentication process). For me as relying party 
running a forum or web log, this is not really assuring...not to speak 
about other potential login facilities.

I suggested a while ago to form a body which would provide to relying 
parties a service of supervision of IDPs. This body could define the 
requirements of IDPs and the verification thereof, which would assure to 
RPs adherence to that defined standard to a great extend. I'd envision 
this body to be an open and free foundation. I'd have another few ideas 
about how such a body could function and look, and allow any sincere IDP 
to operate his server. RPs could then choose to require any IDP to be 
verified by that body and block all the others (not a MUST, but an 
OPTION).  Obviously this would prevent the mess of managing black lists 
as it's happening with mail servers today or other measures!

Another thought is also, that since there is a business interest in 
OpenID I don't expect OpenID to remain decentralized and open as it is 
today. In theory it will remain an open standard, in practice however 
not! Currently the free adoption and participation of a wide community 
serves the interest of everybody involved, however a day might come when 
this will change. Because for obvious reasons, since nobody can rely on 
OpenID seriously, there will be strings attached in the future - and as 
it will happen, it will serve the various business interests too. I'm 
just speculating this scenario, but it's a likely possibility.

Therefore, a free and open supervisory and standards body for OpenID 
operators, which would close the gap of security requirements (and 
trust) of the current decentralized scheme, would guaranty the continued 
freedom of operators and relying parties alike. If adoption of such a 
body would make it into the community as a de-facto standard (and 
must-have), everybody making use of OpenID might gain from various 
perspectives - notably the OpenID standard itself, as it would 
strengthen its reliability tremendously.

Else? Else I expect the same to come from a completely different 
direction, but with no influence from the enthusiastic OpenID community 
and early adopters.

-- 
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Jabber:      startcom at startcom.org
Phone:       +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070708/e758a371/attachment-0002.htm>

More information about the general mailing list