[OpenID] Reconsidering http://openiddifferent from https://openid

Peter Williams pwilliams at rapattoni.com
Fri Sep 21 21:48:03 UTC 2007 

The problem statement is
 
The web is cheap, cost effective and sufficiently safe for 80% of users and usages. It is less safe for those the business to business usages that demand quality and security in the 80-85% user/usage safety band. The goal of OpenID is to deliver cost-effective WebSSO to this 80-85% band of users and usage quality, bringing down the cost of WebSSO deployment and operation to that equivalent to the cost of deploying and operating a general purpose web server, whilst suffering a marginal and tangible increase in residual risk. A second goal of OpenID is to garner widespread adoption in the 80-85% category of users and usage cases, so that the increase in marginal risk is spread across a very large group amenable to risk underwriting by warranties backed by major insurers or Lloyds syndicates.
 
This is peter speak. But you get the idea.

________________________________

From: general-bounces at openid.net on behalf of Pat Patterson
Sent: Fri 9/21/2007 10:04 AM
To: Paul C. Bryan
Cc: OpenID List
Subject: Re: [OpenID] Reconsidering http://openiddifferent from https://openid


Doesn't this loop back to http://identityblog.burtongroup.com/bgidps/2007/09/what-is-openid-.html ?

The lack of a formal problem statement/requirements means that, to a certain extent, we are all just stumbling about in the dark, bumping into each other, rather than converging on a specific goal.

Cheers,

Pat

Paul C. Bryan wrote: 

	Well put. +1!
	
	If there were general consensus by the OpenID development and deployment
	communities that OpenID should be strictly limited to being a
	replacement to email verification, I certainly wouldn't quarrel so much
	with such attempts at making it more intuitive at the expense of
	security.
	
	Paul
	
	On Fri, 2007-09-21 at 08:11 -0500, Christopher St John wrote:
	  

		On 9/20/07, Paul C. Bryan <email at pbryan.net> <mailto:email at pbryan.net>  wrote:
		    

			I believe the question should be framed around what solution can be
			(primarily) secure and (secondarily) intuitive.
			
			      

		I think the disconnect is the assumption that OpenID should be secure
		against every conceivable form of attack and appropriate for the most
		sensitive financial transactions.
		
		It's not.
		
		It's a widely applicable but very simple and limited replacement for
		those stupid email verification thingies. As such, it's more important
		that it be intuitive than ultimately secure.
		
		If you need the former, then Oasis has some technology for you. It's
		pointless to try and reinvent it here.
		
		Limiting the scope makes it possible to ignore lots of hard
		problems.
		
		For example, I suspect that the DNS attack is a red herring. If you
		had control of someone's access to DNS you could do much
		evil-er things than mess with their OpenID. And the fact that their
		OpenID is a relatively low-value target (compared to bank logins)
		makes it less likely to be attacked.
		
		
		-cks
		
		    

	_______________________________________________
	general mailing list
	general at openid.net
	http://openid.net/mailman/listinfo/general
	  


-- 
Pat Patterson - pat.patterson at sun.com
Federation Architect,
Sun Microsystems, Inc.
http://blogs.sun.com/superpat

More information about the general mailing list