[OpenID] Trust + Security @ OpenID

Eric Norman ejnorman at doit.wisc.edu
Mon Jul 9 02:13:22 UTC 2007 

On Jul 8, 2007, at 7:30 PM, Peter Williams wrote:

> OpenID is not a trust system. Its a proof system (which is worse).  
> It claims that a cryptographic proof allows a verifier to determine  
> that a Provider on the net has established that user X owns/ 
> controls identifier I. This is not a new line of research, note; so  
> no need to rush out on the patent front, folks! Research into  
> trusted name servers/services for the internet dates back to mid 80s.
>
> Cryptographic Proof systems (based on DH or any other public key  
> crypto using scheme) almost always leverage automated trust systems  
> as an underlying mechanism. The nature of public key algorithms is  
> such that one must have a means of distributing the public key (or  
> DH partial ) in a trustworthy manner. Otherwise, attackers spoof  
> the keys/DH-partials to spoof the crypto, to spoof the proof, to  
> spoof the central claim of OpenID.
>
> The 2 questions folks are repeatedly asking are:-
>
> 1. should there be varying grades of protection for the delivery of  
> the proof statement ("assurance levels")
>
> 2. should there be varying grades of proof offered ("denoting the  
> 'strength' of user auth/control")

  I think there's a third question that's being asked.  Crypto may  
have something to do with
the delivery of the answer, but the question is really about a  
relying party's ability to rely.
It's a question about the credibility, from the RPs point of view, of  
statements themselves.
I'll try to ask it thus:

3.  Can I, as an RP, have independent testimony about the accuracy of  
these statements
(claims)?   That's what an IdP provides.  An IdP consults the records  
it maintains about
someone and provides testimony in the form of statements that reflect  
what's in those
records.

I think that's one of the main reasons that some in the OpenID  
community prefer to use
the term OP instead of IdP.  There is really no mechanism by which an  
OP can provide
independent testimony.

The following statement was uttered in this discussion:

> RPs have to learn to trust their users.

I can imagine many service providers responding to this with:

> No, I don't have to learn that.  I already know what I need to do  
> to "trust" my
> customers.  Who are you to tell me I have to accept your religious  
> dogma?

So, in a sense the OpenID community is honest when they say that  
trust is "out of
scope".  But on the other hand, they do talk about convincing the RP  
that a user
controls a URL.  That sure does look like a trust thing; it sure does  
waddle like a
trust thing; and it sure does quack like a trust thing.

Eric Norman
http://ejnorman.blogspot.com

More information about the general mailing list