[OpenID] Verisign Seatbelt "vs" ClaimOP/RP -- OpenID not so openanymore?

Boris Erdmann boris.erdmann at googlemail.com
Wed May 30 06:32:20 UTC 2007 

David,

thanks for commenting. I definitively follow you in "The OpenID
Authentication protocol itself shouldn't need to change to address the
phishing concerns". But as is stated on the http://openid.net/
homepage, OpenID is a framework, of which OpenID Authentication is one
part. Just like Yadis added parts of identity discovery to that
framework, there needs to be at least one more addition -- that's what
I am talking about.

I'm running an OP in Germany and phishing as well as privacy are big
concerns over here (as some of you surely learned at web2.0-kongress,
Munich in April) -- I should probably say show stoppers.

I surely have no problem with a push into the right direction when it
comes to OP detection, but assuming that Verisign, AOL and JanRain
might only gain 90% of market share, there is still (as of today or
tomorrow) some 10 Million users that are potentially damaging OpenID's
reputation by being phished.

That's why I think OpenID is in need of some *standardized* way for
browsers to get OpenID Authentication under control.

OTOH, Verisign, JanRain and AOL decided to go Seatbelt. By the time
this decision really starts to matter for OpenID users, there is quite
a chance that there will be no turning back and that you created a de
facto standard.

Don't get me wrong: There is no problem with that in itself. But since
we are not talking about some nice features here, but user security in
the first place, I think this is nothing to play around with. This
should not be about "secret" alliances or playing monopoly. That
simply would not comply with "Nobody should own this".

And with this "addition" to OpenID you are definitively starting to
change the OpenID landscape. OP detection is one of the important
missing bricks.


About openness:
I would comment on your last paragraphs rather in my reply to your
follow up post...


Boris


On 5/30/07, Recordon, David <drecordon at verisign.com> wrote:
> Hey Boris,
> I think there certainly is an understanding between OP's that phishing
> is a definite concern when using the OpenID protocol, btw AOL has also
> added support for VeriSign's SeatBelt.  I think what we've seen though
> (as Brian and I talked about at Web 2.0 Expo
> http://openid.net/pres/2007_Web2Expo_Implementing_OpenID.pdf) is
> two-fold:
>
>  1) The OpenID Authentication protocol itself shouldn't need to change
> to address the phishing concerns, or at least it doesn't in the near
> future.  Rather like SAML it can remain agnostic as to how the End User
> authenticates to the OP and let extensions to the protocol handle richer
> descriptions of requirements and what happened (as discussed in the
> collaboration announcement around RSA
> http://www.identityblog.com/?p=668).
>
>  2) OpenID Providers are already starting to look at ways they can
> protect their users from phishing by using authentication technologies
> other than username and password.  While OpenID thrusts the phishing
> issue into the lime-light, it is a larger problem on the web which
> technologists are already looking at.  Options such as certificates
> (whether they be through something like CardSpace or browser certs like
> MyOpenID.com and Certifi.ca are doing) provide one means to help with
> this problem.
>
> As for openness around the Provider provisioning, we certainly are
> wanting to look at using Yadis for OpenID Providers to mark up their
> SeatBelt configuration.  The provisioning configuration markup evolved
> very quickly, especially as we were working with JanRain and AOL, and it
> was easiest to design it in a proprietary fashion.  With that said, I
> don't see how this has any bearing to OpenID in general nor the open
> community process that is used for specification development.
>
> We're certainly working to have the SeatBelt up on Mozilla's Add-Ons
> page and at that point will provide it for public download as well as
> providing documentation with it.  Certainly not trying to do anything
> closed, which I hope is shown by the fact that it isn't just limited to
> VeriSign's OpenID Provider nor a set list of Providers, but rather any
> Provider can add the configuration markup and work with the SeatBelt.
>
> --David
>
>
> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Boris Erdmann
> Sent: Tuesday, May 29, 2007 7:33 AM
> To: general at openid.net
> Subject: [OpenID] Verisign Seatbelt "vs" ClaimOP/RP -- OpenID not so
> openanymore?
>
> Now,
>
> after investigating the topic a little further the facts seem to speak
> for themselves:
>
> a) Verisign developed an RP/OP discovery mechanism from exactly
>      the same motives like I did with my ClaimOP proposal as part of
>      their Seatbelt product (albeit more elaborate, I frankly admit).
>
> b) With at least two very prominent followers of the OpenID community
>      (Verisign and JanRain both actively support the Seatbelt approach)
>      there seems to be some understanding between OP's that the base
>      OpenID protocol is lacking when it comes to fighting phishing.
>
>
> So this proves that my reasoning is quite valid:
> Browsers need more signalling to get a grip on the protocol!
>
>
> Now I wonder:
>
> * Shouldn't a solution be discussed in the open?
> * Am I completely off topic (please direct me to the right place)?
> * Is all this to stay behind the scenes?
> * Is nobody else interested?
>
>
> Thanks
> -- Boris
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>

More information about the general mailing list