[OpenID] Initial thoughts on OpenID

Peter Williams pwilliams at rapattoni.com
Wed Jul 11 01:07:49 UTC 2007 

The level 1-4 have nothing to do with the sensitivity of classified systems, or information objects bearing labels and caveats. Orthogonally, it's true that the accreditor of an SBU systems might well mandate level 3. The system accreditor addressing sensitive processing at higher level than unclassified is likely to demand level 4, to better control the I&A risk. Its unlike an accreditor would enforce FIPS 140-1.level 3 on the end-user, if the old OP provider is itself not also using a FIPS 140-2 level 3 CSP, with proper keyfill/arming etc.

Note these, levels are just the old VeriSign Class 1, 2, 3, 4 repackaged as a national standard. Via DoD certificate policies, they became stuffed in the SP.

They were intended to the address the conditions for the original creation of and then the realtime use of offline assertions (known as certificates/private-keys) when manufacturing a personal digital signature issued to a RP. NIST quite properly wrote up the spec using __tech-independent__ language.

It's entirely appropriate for the OpenID std to use these classes/levels to indicate how one MIGHT control the creation (by OPs) of its realtime assertions (despite not using the technology of RSAcerts/RSAsignatures). If the OP determined/determines you satisfied/satisfy online user auth according to the level 3 criteria using web-forms say (over SSL satisfying DOD Class 3, and a DOD CAC card, probably), the OP just mac-signs an online assertion in the OpenID syntax according per the state machine of the OpenID Auth protocol.

I've already forgotten what that OpenID extension named the field that conveys the quality of user auth (authnContext in SAMLspeak). Its value could quite legitimately "SP800-63-level-1". It would be useful for that OpenID extension spec to standardize those string labels.

Be aware that outside US/UK/Aus govt. circles, many commercial folks will want to know also the more specific details of the means used to satisfy level X. Thus, the OpenID Extension doc might need to create/maintain a list whose elements are two-part declarations: "SP800-63-level-2:802.1X-RSAEAP" for example.

The value in commercial world of this is that I - as the accreditor controlling a community of RPs - need to know that the strong auth logging evidence maintained by the IDP is of a form that I have EQUIPMENT to use, should the need arise. It not enough in the commercial world that I rely ok, today; I need to rely in the future on the ability to actually leverage the evidence of compliance.






-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Recordon, David
Sent: Tuesday, July 10, 2007 3:57 PM
To: Eric Norman; OpenID - General
Subject: Re: [OpenID] Initial thoughts on OpenID

Just as an FYI, PAPE references SP 800-63.

--David 

-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Eric Norman
Sent: Tuesday, July 10, 2007 5:13 AM
To: 'OpenID - General'
Subject: Re: [OpenID] Initial thoughts on OpenID


On Jul 10, 2007, at 5:05 AM, =nat wrote:

> Now, coming to the topic of this "classified OPs", I would rather like 
> to think of it as the AQ and Reputation issue.
> To me, Assertion Quality is defined by "Enrollment Quality", 
> "Authentication Quality", and "Operational Quality of OP".
> AQE has the first two (though I would like to add several more 
> enrollment properties: oob is too broad. I would like to see something 
> like In-Person-with-photo-id etc. added.) . The last one can be taken 
> care of by Reputation (and audit).

It's always worthwhile to consult the literature and see what others have done.  For instance NIST has done a lot of work in the area.  Of particular relevance to this topic is Special Publication 800-63.

    http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf

Eric Norman
http://ejnorman.blogspot.com

_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list