[OpenID] Trust + Security @ OpenID

Gabe Wachob gabe.wachob at amsoft.net
Mon Jul 9 03:32:55 UTC 2007 

I think the original thinking about OpenID was not framed in terms of trust,
but rather in terms of risk, exposure, and mitigation. 

Who bears the cost of a failed authentication (that is, who faces the
costs)? The original openid base assumption was that it is the identity
owner who bears that risk, not the "relying party"/service provider. We have
all expected that mechanisms to shift that allow removal of that assumption
by giving the relying party more visibility into the OP domain (a first step
being the proposed AQE extensions) - giving an RP at least some idea of what
sort of authentication is being performed. 

You'll notice the word "trust" is never used here. In fact, while I was at
Visa, I don't ever recall using the word "trust" in any concrete way when
analyzing multi-party distributed systems. It's all about risks, exposures,
and mitigations. I think the word "trust" is a red herring - and what we
need to focus on is giving the various parties visibility (so that risks and
exposures are understood) and mitigation mechanisms (so parties can deal
with those risks) into the authentication and data exchange aspects of
OpenID. 

I think the biggest challenge, to be honest, is that most relying parties
don't really think too much about authentication in these terms. For
example, they use usernames and passwords and don't really do an independent
risk analysis of that mechanism (e.g. the email-based recovery mechanisms).
The OpenID proposal challenges them to perform the risk analysis and maybe
helps them uncover some scary truths about the security of common security
mechanisms like username/passwords... sometimes it's just easier just to use
"common practice" and hope that if its good enough for the gander, it must
be good for the goose... even if that's not always the case. 

    -Gabe

> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Eric Norman
> Sent: Sunday, July 08, 2007 7:13 PM
> To: general at openid.net
> Subject: Re: [OpenID] Trust + Security @ OpenID
> 
> 
> On Jul 8, 2007, at 7:30 PM, Peter Williams wrote:
> 
> > OpenID is not a trust system. Its a proof system (which is worse).
> > It claims that a cryptographic proof allows a verifier to determine
> > that a Provider on the net has established that user X owns/
> > controls identifier I. This is not a new line of research, note; so
> > no need to rush out on the patent front, folks! Research into
> > trusted name servers/services for the internet dates back to mid 80s.
> >
> > Cryptographic Proof systems (based on DH or any other public key
> > crypto using scheme) almost always leverage automated trust systems
> > as an underlying mechanism. The nature of public key algorithms is
> > such that one must have a means of distributing the public key (or
> > DH partial ) in a trustworthy manner. Otherwise, attackers spoof
> > the keys/DH-partials to spoof the crypto, to spoof the proof, to
> > spoof the central claim of OpenID.
> >
> > The 2 questions folks are repeatedly asking are:-
> >
> > 1. should there be varying grades of protection for the delivery of
> > the proof statement ("assurance levels")
> >
> > 2. should there be varying grades of proof offered ("denoting the
> > 'strength' of user auth/control")
> 
>   I think there's a third question that's being asked.  Crypto may
> have something to do with
> the delivery of the answer, but the question is really about a
> relying party's ability to rely.
> It's a question about the credibility, from the RPs point of view, of
> statements themselves.
> I'll try to ask it thus:
> 
> 3.  Can I, as an RP, have independent testimony about the accuracy of
> these statements
> (claims)?   That's what an IdP provides.  An IdP consults the records
> it maintains about
> someone and provides testimony in the form of statements that reflect
> what's in those
> records.
> 
> I think that's one of the main reasons that some in the OpenID
> community prefer to use
> the term OP instead of IdP.  There is really no mechanism by which an
> OP can provide
> independent testimony.
> 
> The following statement was uttered in this discussion:
> 
> > RPs have to learn to trust their users.
> 
> I can imagine many service providers responding to this with:
> 
> > No, I don't have to learn that.  I already know what I need to do
> > to "trust" my
> > customers.  Who are you to tell me I have to accept your religious
> > dogma?
> 
> So, in a sense the OpenID community is honest when they say that
> trust is "out of
> scope".  But on the other hand, they do talk about convincing the RP
> that a user
> controls a URL.  That sure does look like a trust thing; it sure does
> waddle like a
> trust thing; and it sure does quack like a trust thing.
> 
> Eric Norman
> http://ejnorman.blogspot.com
> 
> 
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list