[OpenID] Security/featureset at odds?

SitG Admin sysadmin at shadowsinthegarden.com
Sat Aug 2 03:37:41 UTC 2008 

>By mandating https, it overcomes most objections to its lack of 
>protocol handshake design features.

I hadn't been aware https was mandated. It wouldn't matter much in 
any case, for what I'm seeing.

I wrote previously about "a single node that is either compromised, 
or deceived into thinking an attacker is the legitimate user by 
*another* compromised node", and the difference between these is 
essentially "a node that is usually involved, directly, in the OpenID 
authentication, or a node that is usually not involved". A node could 
be compromised due to services it was running other than OpenID or 
https (including its OS, with an exploit for that), and then employ 
all the security measures it would normally (when authenticating the 
*rightful* user) have at its disposal.

The question is how far the ramifications of this single point of 
failure can extend, and that's what I'd like to look at in advance. 
If we want to impress potential adopters with the security available 
for this model, we shouldn't leave this question unaddressed, to be 
answered publicly with real harm or privately by security advisors 
who see a problem we haven't; we should have warnings up about bad 
combinations for the network, and be offering solutions to those 
security problems preemptively.

>Your comments about rights to buddy list x means rights to influence 
>buddy list y  simply lost me. I hadn't seen anything in the openid 
>concept that came down to buddy list "synchronization" (as a side 
>effect of the websso or trust relationship that is implied by 
>openid).

As a framework (the barebones foundation technology, on which 
everything else can be built by combining pieces that "come with" it 
and integrating into an existing site), OpenID does exactly nothing. 
The first question any party (O or R or other) should ask in this 
model, once information has been conveyed from one to another, is 
"So?"

It is in the answers to that question that OpenID both enables 
features and introduces new security risks, but those answers are the 
prerogative of the appropriate parties - OpenID doesn't dictate them.

-Shade

More information about the general mailing list