[OpenID] Secure attribute transmission

Peter Williams pwilliams at rapattoni.com
Sun Aug 3 21:49:51 UTC 2008 

If the rp cannot "afford https", view this as a sign you don't want to be using that site for anything sensitive. Sensitive these days includes your friends list.

If a rp site is claiming excellence in its online features, but cannot afford https outlay, again their story is not hanging together. Audit red flag.

If a rp has spent money on implementing or integrating openid2 (which involves using https, in reality, to the xri proxy) and does not offer https as a rp, worry. The audit red flags are really up: their story is inconsistent.

Self signed certs for https are trivially easy to turn on: costing nothing, tho have adoption hassles similar to ssh2. Annual expenses to easily get around these issues are down to 25 euros  (less than the cost of 1 starbucks coffee, a month).

 A site that cannot afford those euro outlays may not be sufficienty financial sound ... to uphold  the commodity security posture expected by global consumers, these days.

A site that prefers do design of an adhoc channel encryption protocol rather than use the well-reviewed handshake of ssl is also "somewhat" worrying. Normally, rookie crypto designers make the same or probably more crypto errors during handshake design as did the ssl designers, initially (and they had years and years of academic crypto experience!).

 (i ran the "secrity review" policy at verisign for a while, requiring vendors licensing verisign trust points to engage a firm to do a pretty cursory inspection of their use of the ssl library. Guess what? The same implementation errors would occur over and over again, potentially degrading the trustworthiness of the verisign brand. After a few years, the "basic/noddy" design/implementation error rate stabilized, once certain flaw categories became widely understood. At that point, we let more conventional assurance programs take over, when guaging trustworthiness and assurance levels.)

-----Original Message-----
From: Johnny Bufu <johnny.bufu at gmail.com>
Sent: Sunday, August 03, 2008 2:17 PM
To: Easysurfer at gmx.de <Easysurfer at gmx.de>
Cc: OpenID List <general at openid.net>
Subject: Re: [OpenID] Secure attribute transmission


On 03/08/08 11:27 AM, Easysurfer at gmx.de wrote:
> I'd like to transmit sensitive data over the Attribute Exchange Extension and was wondering about the best way for encryption.
[...]
> Any ideas?  I'd like to pass the info over using only the OpenID
> protocol, not invent another protocol for my own use.

If what you're trying to avoid is the exchange of another secret key
(and not require the RP to offer a HTTPS endpoint), then your only
option is to enforce statefull mode and use the shared association
secret to encrypt the attributes.

Otherwise, the exchange of the encryption key can be done through
attribute exchange. Working with the same assumption that RPs can't
generally afford HTTPS endpoints, the key exchange would have to be
initiated by the RP against a HTTPS OP endpoint, e.g. through a AX store
request.


Johnny

_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list