[OpenID] 2-Headed OpenID Auth for Increased Security?

Ben Laurie benl at google.com
Mon Dec 1 13:41:53 UTC 2008 

On Mon, Dec 1, 2008 at 1:23 PM, Peter Williams <pwilliams at rapattoni.com>wrote:

> Xrd or xrds?


XRD.


> Interesting! if you go xrd. Then you can do dnssec-like namespace controls,
> much like the trusted resolution mode of xri.


Not yet all that familar with fully blown XRD, so I'll have to take your
word for this - but I am familiar with DNSSEC, so I'm wondering what you
mean by a "namespace control"?


> Rather than be dnssec static, however, signatures on xrd could also serve
> as security tokens, citable on the peer (web) services ("managed" by the
> xri/uri). Butler lampson will be in heaven.
>
> ________________________________
> From: Ben Laurie <benl at google.com>
> Sent: Monday, December 01, 2008 5:13 AM
> To: Peter Williams <pwilliams at rapattoni.com>
> Cc: Eric Norman <ejnorman at doit.wisc.edu>; OpenID List <general at openid.net>
> Subject: Re: [OpenID] 2-Headed OpenID Auth for Increased Security?
>
>
>
> On Sun, Nov 30, 2008 at 5:56 PM, Peter Williams <pwilliams at rapattoni.com
> <mailto:pwilliams at rapattoni.com>> wrote:
> Time to take the extension power of XRDS, and apply xmldsig "detached
> signature(s)"
>
> Signing XRD is pretty much what we're proposing for the next generation...
>
>
>
> This would be using similar mechanism as used in Authenticode, where
> designers applied 3rd-party countersigning and 4th-party timestamping to
> solve validity problems - at internet scale. Different parties (OP,
> discovery agents, validation) can then cooperate, in the inherently
> suspicious world of open systems.
>
> The Shib/Apache-xmltooling toolset has all the mechanisms required to make
> power-use of the flexibility of the xmldsig standard (as do many other
> tools). Being very, very flexible in its references, it's easy to screw up
> application of xmldsig, producing unwanted sideeffects tho.
>
> -----Original Message-----
> From: general-bounces at openid.net<mailto:general-bounces at openid.net>
> [mailto:general-bounces at openid.net<mailto:general-bounces at openid.net>] On
> Behalf Of Eric Norman
> Sent: Sunday, November 30, 2008 9:50 AM
> To: OpenID List
> Subject: Re: [OpenID] 2-Headed OpenID Auth for Increased Security?
>
>
> On Nov 30, 2008, at 9:35 AM, Andrew Arnott wrote:
>
> > I like the idea.... but the XRDS would have to mandatorily not be
> > hosted by either OP (which right now is commonly done), since that OP
> > would still ultimately have total assertion power by temporarily
> > manipulating the XRDS file to point to two OP endpoints that were both
> > controlled by the evil party.
>
> Be careful.  "Hosted by" does not necessarily imply "content
> controlled by".
>
> Eric Norman
>
> _______________________________________________
> general mailing list
> general at openid.net<mailto:general at openid.net>
> http://openid.net/mailman/listinfo/general
> _______________________________________________
> general mailing list
> general at openid.net<mailto:general at openid.net>
> http://openid.net/mailman/listinfo/general
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081201/7d154069/attachment-0002.htm>

More information about the general mailing list