[OpenID] Verisign Seatbelt "vs" ClaimOP/RP -- OpenID notsoopenanymore?

Boris Erdmann boris.erdmann at googlemail.com
Wed May 30 08:31:41 UTC 2007 

[... implying not to change the framework by saying "we are not
changing authentication" does not seem quite sincere to me, or do you
honestly believe that OpenID as of today is still merely about
authentication? ...]



David,

you state "Certainly not trying to do anything closed, which I hope is
shown by the fact that it isn't just limited to VeriSign's OpenID
Provider nor a set list of Providers, but rather any Provider can add
the configuration markup and work with the SeatBelt."

Well, any OP could create a plugin for their service easily. That's
trivial. But you know that a plugin that works with only one provider
is near to useless, because nobody would install a dozen of plugins
for their OpenIDs from different providers. And it does not create
trust in OpenID. To do it right, the plugin has to work with any
provider. You also correctly identify such plugin would need some help
from OPs.

Thus it's obvious now, that this is a general issue (despite the fact
that many on these lists keep still about it). And it is clear that
this is directly tied to the OpenID framework, be it part of
Authentication or not (probably not).

To form an alliance that has the power to make *a* solution the de
facto standard, is clearly the right way to go.

But the way you do it with Seatbelt is clearly not open while
definitively having an impact on OpenID in general, because it
perfectly fits in where the OpenID framework has a gap. And implying
not to change the framework by saying "Well, we're not changing the
Auth protocol" does not seem quite sincere to me here, or do you
honestly believe that OpenID as of today is still merely about
authentication?

Well, you and the OpenID Foundation are free to decide that OpenIDs
"open" days are over someday soon, but could you please give a candid
statement, so that the rest of us followers and evangelists simply
timely know. There are of course other ways to handle this -- one of
them like so: Verisign could simply state that Seatbelt become part of
the framework, and discuss this in the open:


There is a Seatbelt download page on the net that reveals little:
http://beta.abtain.com/jpip/account/resources.jsp

* No download link for the plugin/extension
* No further documentation
* Since users as of today cannot be the intended audience,
   this page is an invitation for OPs only to request more information
   from Verisign (see bottom).

How to implement Seatbelt as an OP?

Insert the following into your pages:
<link rel="seatbelt.config" type="application/xml"
href="https://url-to-an-xml-document" />

Now, this is not more or less broken than any other addition of link
rel without providing a profile attribute in the head tag.

OK, https://url-to-an-xml-document reveals tags that may or must be
part of the <opConfig version="1.0"> Document, mostly styling the
color scheme of the Seatbelt plugin and advertising in some sort of
directory (assumption). Plus some important information:

- serverIdentifier
- opDomain
- opCertSHA1Hash
- opCertCommonName
- loginUrl
- loginStateUrl

So what is this cert thingy (quoting "without requiring any changes or
certification
process from VeriSign")?

Now for the Seatbelt plugin to detect the login state of a user:

- loginStateUrl points to an XML document:

<personaConfig serverIdentifier="string equals the one from above"
version="1.0">
  <persona>"OpenID" of the currently logged in user</persona>
</personaConfig>

David, you state "As part of this configuration, the provider exposes
an HTTPS endpoint which returns an XML document about the current
logged in user (or that there isn't anyone logged in)".

To be more precise, the returning document can reveal an identity of a
currently logged in user.

* Is it always like that?
* Is it possible for an OP to list more than one Identity per logged in user?
* Why are identities tagged persona?
* What other information might be revealed?


Thank you
-- Boris



On 5/30/07, Recordon, David <drecordon at verisign.com> wrote:
> Hey Peter,
> The SeatBelt is a FireFox extension designed to help with convenience
> and phishing concerns around using OpenID.  It makes no changes to any
> of the OpenID protocols.  The only "protocol" it uses is a discovery
> convention (just like RSS or ATOM auto-discovery) where an OpenID
> Provider marks-up a link rel tag pointing to an XML configuration file
> for the extension.  This provides the ability for the extension to work
> with new providers without requiring any changes or certification
> process from VeriSign.  As part of this configuration, the provider
> exposes an HTTPS endpoint which returns an XML document about the
> current logged in user (or that there isn't anyone logged in).
>
> Just to restate this, we're not doing *anything* which changes the
> OpenID protocol(s).
>
> --David
>
> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Peter Williams
> Sent: Tuesday, May 29, 2007 6:56 PM
> To: Boris Erdmann; general at openid.net
> Subject: Re: [OpenID] Verisign Seatbelt "vs" ClaimOP/RP -- OpenID
> notsoopenanymore?
>
> We can test whether VeriSign seatbelt technical protocols and
> administration framework work is open, or not.
>
> Open technologies allow leading implementations to be replaced, and no
> barrier shall exist for users of the latter to obtain from such as Aol
> all the technical features and technical security benefits that the
> former, Sealtbelt users obtain today.
>
> VeriSign is, note, entirely entitled to add service delivery values,
> audit practices and financial warranties etc - so as to  differentate
> sealbelt from other services based on the same protocols and protocol
> bindings.
>
>
> VeriSign specifying and using a public OpenID binding -requiring https
> and alowing optional validaton by a trusted https/wininet client of its
> extended validation certs,  say  - which might together provide
> assurance that risks of phishing are mitigated by a unique integration
> of technical and legal controls - is an entirely proper id mgt service,
> built on open technology.
>
>
> ....
>
> certainly working to have the SeatBelt up on Mozilla's Add-Ons
> page and at that point will provide it for public download as well as
> providing documentation with it.  Certainly not trying to do anything
> closed, which I hope is shown by the fact that it isn't just limited to
> VeriSign's OpenID Provider nor a set list of Providers, but rather any
> Provider can add the configuration markup and work with the SeatBelt.
>
> --David
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>

More information about the general mailing list