[OpenID] Supporting OpenID

Nate Klingenstein ndk at internet2.edu
Sun Apr 13 05:43:57 UTC 2008 

Peter,

I'm not sure how it's germane to this discussion, but there are at  
least two distinct issues with proxies and gateways.  These issues  
are particular to spoofing and reassertion, which are the easiest  
ways to implement a gateway, and consequently the ways that are  
really widespread.

The impact on the privacy of the end user you describe is one  
concern.  They consume and parse user information before passing it  
along.

However, security is also impacted: without the elaborate proxying  
and delegation design you note, they eliminate the end-to-end trust  
between providers and often incidentally destroy information.  We  
prefer to make our authorization decisions by attribute, and the  
issuer/authority for those attributes can be important for their  
interpretation.  This information is usually lost in proxying models,  
and is actually remarkably difficult to preserve.

Large content providers are facing this problem now as the pool of  
deployers grows.  Multiple organizations that have no resources to  
run their own IdP are banding together to form single IdP's.  This  
gateway makes differentiation of users for resource allocation and  
contractual fulfillment challenging, while access control rules must  
be more complicated.  I'd like to see such single IdP's in the future  
at least provide attributes to allow for differentiation, and would  
like to see IdP outsourcing services arise for organizations that  
would prefer to use them.

That all said, there are often situations where these perceived  
shortcomings of proxying are actually desirable.  A set of  
applications may wish to appear to many IdP's as a single application  
for simplicity, or backend applications may not want to understand  
federated identity.  A gateway is perfect for these use cases.

Just another tool in the identity kit,
Nate.

> If I generalize the topic now, I did note in browsing some  
> Shibboleth design session notes on an Internet2 wiki that Scott  
> Cantor has previously expressed reservations on gatewaying - on the  
> grounds (and here I interpret a little) that they interfere with  
> privacy features. The point being, I think, that the very notion of  
> gatewaying sp-initiated flows back to back (and yet further back-to- 
> back WITHOUT formalized proxy control signaling) interferes with  
> the writer-to-reader (end-to-end) assumptions that the security  
> services built into the websso protocols usually make, in their  
> privacy-enhanced signaling. While cardspace clearly has the  
> capability to enforce writer-to-reader (relying on TPM to TPM and  
> crypto control system to enforce an ORCON policy), its making broad  
> assumptions about trust hardware and trust OS deployment that is of  
> course not "yet viable," in today's web.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080413/87fc01cb/attachment-0002.htm>

More information about the general mailing list