[OpenID] What are openids weaknesses?

Peter Williams pwilliams at rapattoni.com
Tue Sep 4 03:59:08 UTC 2007 

Limit read of long email to 60s, below.



























So let's look at some evidence supporting the undisputed leadership
claims of the godfather.

---------------

http://xml.coverpages.org/saml.html

Recounted History of (SAML) webSSO goes back to 2001. No mention of the
godfather, anywhere. The usual XML suspects are mentioned a-plenty.




http://www.w3.org/TR/1998/NOTE-P3P10-principles#Signatories

No mention of the godfather in w3c either, back in 1997. A certain
"Drummond Reed" is there, tho. As is "Ann Cavoukian" both recently
mentioned on OpenID lists :-)




(Henry should be interested in relation of xml-dsigs and RDF in
http://www.w3.org/2000/10/xmldsig-p3p-profile/#sec-P3P)


Note "Tara Lemmey, Chairman, Narrowline; TrustE Board Member"  - before
TrustE got sued, and rapidly became eTrust. That was a fun blunder for a
organization committed to respect for privacy and IP protection!







http://www.oasis-open.org/archives/security-services/200204/msg00129.htm
l. The RSA Authentication Manager plugins have long supported keying a
multi-domain cookie issuing service built into the IIS/Apache
filter/handlers of an IDP - as a way of doing IDP-initiated webSSO
(between AM capable sites) to multiple relying parties. These methods
back a long ways, to perhaps 1996. For use at CIA Security Dynamics had
a much logner history of tying OTP assertion release to only an
authorized set of relying parties, those network nodes part of a trusted
keying domain for which there was a DES association.

Release of attribute information from the secure blob in those Cookies
always had an interesting, ambiguous  relationship under the rules of
release set by the P3P policy of the target RP. It was a mashup before
its time.




http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL
&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=6,085,320.PN.&OS=
PN/6,085,320&RS=PN/6,085,320 doesn't reference any patent with related
claims, by the godfather. Nor do the references.

Be interesting to see  -- now that Cardspace-Openid requires SSL for
Auth resp validation  for token verification (and, effectively, uses the
step of the method of cert and public keys building the reliance graph)
-- how if fares under the above.



http://www.oasis-open.org/committees/security/ipr.php has no mention of
the godfather, either: inventors from fidelity, RSA, AOL and others are
mentioned, however. 



Let's assume that he invented the "UCI" notion that an IDP can only
release attributes subject to first identifying the RP, subject to orcon
control regimes (which he also invented no doubt)?? Ah... but
Shibboleth's been doing that a while, in the university world!
http://shibboleth.internet2.edu/docs/shibbing-news-Oct03.html Ann West
has obviously been at it a while, in that space:
http://www.internet2.edu/presentations/spring02/20020506-MW102-West.htm


AS I keep saying, I like OpenID. It smells right - having read all
manner of these kind of specs ever since 1986 when I got forced to read
a draft of ECMA TR/46 (1989) (my tutor in secure (internet)
communication protocols made us read his drafts) My teacher in
distributed systems was happily working away on PEM in IRTF the same
time. I remember he forced us to write an essay on the future of RSA in
email, and how to use DES in counter mode for encrypting IP fragments
stored in Ethernet/tokenring frames! TLS WG in IETF is almost about to
catch up :-) with keying material derivation for connectionless (TLS)
protocols!

Don't remember reading anything from the godfather of identity
management, tho. 

Perhaps he published in the 70s? 

How far back do I have to go? I do have a large library of musty old
security books I can research. Its mostly all about the early generation
of IBM ATM protocols, tho. I did have a lot of 80s era military secure
data/phone comms stuff from Motorola GSTG, but I destroyed most of it.
Perhaps the godfather was referenced in there? Perhaps he worked for GTE
or SAIC running NSA key management centers handling keying material
requests for 1000 DoD military bases around the world, running the
Caneware/SDNS protocol suite http://www.toad.com/gnu/netcrypt.html?
After all, there was lots of identity management work done there for the
milnet and intelligence variants of the internet, which he must have
invented too!

I do wonder, how I could have missed the scared laws/rules. But without
reverance of the laws, after all ...one is but an intellectual fraud
without authority to spout!

-----------------

Seriously, I don't mind Kim Cameron nicely wrapping up a lot of prior
art, and getting credit for an effective communication job. But let's
not mix communication skills and effective advocacy with invention or
long term leadership. Let's not forget that the architects of Passport
also got Microsoft into a bind with the EU privacy commissioner...
http://www.epic.org/privacy/consumer/microsoft/passport.html. I bet I
know whose SAML-biased Lobbying money invited those investigations tho
:-)

More information about the general mailing list