[OpenID] What are openids weaknesses?

[Peter Williams]

Long mail. 

But Follow it! 

Don't spend longer than 60s, tho. 

It's only a throw-away internet email!


> 
> For me at least, that's not the point. The point is: what can we do to
> make it better? (without changing the low-cost economics)
> 
> If there is a better plan, let's do it.
> 
> If there isn't a better plan, all we have words and they don't help
> much.
> 
> 
> Cheers,

The words help a lot, Johannes. It's not just 25 developers who need
convincing. The words help showcase that there is a community forming
and it will be therefore be _able_ generally to contribute to civil
society conformed of Peter-class plebs. 

Unless the community itself has the right set of web dynamics, openid
will die - like a billion other lines of code. Give! the Microsoft
visual basic community the tools to run with OpenID. We are pleb
programmers, sure; but there are a _lot_ of us! 

For $4, you can buy my book on
http://www.amazon.com/Digital-Certificates-Applied-Internet-Security/dp/
0201309807. Note its tone. It dumped the military PKI dogma, and
appealed to the vb crowd. It dumped the academic writing, and appealed
to the masses (with the help of my two Farsi-speaking co-authors). The
PKI professionals hate it with a passion; because it commoditized PKI
and argued that 80% grade security is in fact enough. But that
philosophy was part of the mission I accepted, when a certain half
Colonel in UK DRA argued that pleb-revolt dynamics would be the ONLY
means by which COCOM could be dismantled - and then updated for the
internet era. (See below)
	
99% of the kind of criticisms I'm seeing aimed at OpenID are based on
(other developer) folk not understanding something they know they *seek*
to understand. 100 points for openid, for having created the desire to
seek understanding. That is one of primary agents of change. The concept
of webSSO is indeed tantalizing. Sure OpenID _will_ worry Google to its
core; as its SP-initiated flow counters a tenet of Google's own concept
- which is hub (vs spoke) centric. When Google attacks a billion spokes
with any number of billions of dollars, be proud! Use asymmetric
information warfare for what its good at!

When developers express the biased angst you see in Stefan's
nicely-tabbed diatribe, they are using criticism as their chosen means
of expressing their rationalizations of what they DO know. They are just
contrasting and analyzing, in reality. They are building up their belief
systems -- by participating. Folks always spar, when doing security
engineering for the public. There is a lot at stake in the personal
privacy arena. Finding a political balance between spying and privacy is
hard.

Don't worry about the volume of email, either. It took nearly half a
million emails like these to get to S/MIME. SSL was easy, by contrast.
But then, https was only a little bit easier than S/MIME -- but only
because it was able to borrow the 400,000 PKI emails from the PEM &
S/MIME world. It took well over 1 billion dollars and 20 years work to
get PKI up and running on the scale you know see it. For my bit of
contribution, I started in 1991, which was 3 years after klunky-old ISO
process had published the (late) standard! Pretty shoddy is the result,
if truth be told -- but, its universal. (Henry just proved it.) And
that's the goal!

Remember - there has to be a display of passion (for and agin, and agin
and for) for open source code to take flight and become a wider social
movement.

-----------

On SAML vs OpenID, there is an intentionally _indirect_ point in putting
forth an argument to show that SAML's sp-redirect has all the same
"flaws" as openid is "shown to have" ,

SAML has major US Federal Government agency backers, who have put their
reputations on the line for SAML. If a specific criticism of openid
parallels one in SAML where SAML survived to endorsement point, so can
OpenID.

If those same endorsers profiled around the less desirable elements of
SAML, so can openid. The issues are not deal killers. They are whining
points.

So how did 1000 police agencies using SAML FORMALLY avoid the same
pitfalls that we have shown that both SAML and openid have in common?

At least on paper and thus FORMALLY, they use the SAML optional artifact
binding.  Formally, they also use FIPS 140-2 level 3 crypto devices with
their servers, with formal key fill and trusted personnel all
indoctrinated in COMSEC and continually aware of OPSEC risk you
represent, when you walk in the door...

IN practice, they don't. They accept the residual phishing risks, and
take the operational and ease-of-use benefits of the more vulnerable
Browser POST binding. Their staff is the desk sergeant. The PC is from
Dell, and runs software crypto in a room at back of the police station.
Hopefully, their SSL-VPN between stations takes care of the rest of the
residual risk. If it doesn't, oh well. My police report on the loss of
Snuffy, the kitten, just went public!