[OpenID] Fwd: Several Questions for the Current & Future Board

Peter Williams pwilliams at rapattoni.com
Sun Dec 21 17:16:26 UTC 2008 

"The primary aim of the Review of OpenID project was to produce a report to allow decision-makers to understand OpenID’s security properties in order to perform risk assessment of their envisaged use cases and avoid any of OpenID’s potential security pitfalls"



What an introduction! Form the reference page no less. Talk about imputations!

But, its fair. This is where a lot of potenial adopting parties start/ed, in their perception.

When I get a pc that can read pdf, I hope my reading of the report will disabuse the imputation that opend tech is any more or less inherently vulnerable than saml websso (since openid2 has all and more than saml2 + pki has, for overlaying assurance). We will also see if they scoped the report to exclude openid2. The tone will tell the story.

But to the election. What are folks going to do about this bias in perception, in the coming year? Its not only the websso competition running the rumor mill. Its the foundations own behaviour, focussing all on the "big ops" as the model deployment case. The harder issue is the rps. Are they independent in uci, or just elements of the big ops trust networks?


As we just saw, one rp just willingly added cacert into its pot of cas, and showcased how  openid discovery can be easily spoofed - even in openid https modes. While the specs admit and counter these vulnerabilities using spec-ese, the movement is more generally failing to articulate how adopting parties can address these issues practically  - without losing site of the movements lofty uci goals (users choose their own op).

One thing to do is come out against self operated ops (self issued cards). The movement is only about mega ops addressing geberalized consumer needs (live, google,yahoo, aol for foundation.us) (x y z in foundation.eu) (a b c in foundation.jp) (1 2 3 in foundation.kr) If BT wants to play as a global OP then, it will do what it did with verisign in the pki space, and become a simple reseller - buying into a trust network of readymade rp sites.

Fun year ahead, evidently. We will see if folks can manage to tie their marketing share in the browser-rp market with the brandnew openid website-rp market.

Anyone know google chrome's ctl/root registry policy? Any innovations, or is it just more the same? They could move the goal posts, if they really wanted to, now websso and website-rps are clearly on the https radar for the first time.

-----Original Message-----
From: Peter Williams <pwilliams at rapattoni.com>
Sent: Sunday, December 21, 2008 8:34 AM
To: Joss Winn <jwinn at lincoln.ac.uk>; chris.messina at gmail.com <chris.messina at gmail.com>; general at openid.net <general at openid.net>
Subject: Re: [OpenID] Fwd: Several Questions for the Current & Future Board


Hopefully, that is the one.

Isn't email a wonderful locator service. 9th dec 2008?

Out of interest, did any board member (us or euro) have access to this (or a draft) before 9 dec? If not, why not! Someone is not doing their job if they are not properly networking.

Now there may be at least 4 openid to saml gateway designs. Ping identity original (openid1), trustbearer/opentoken for rapattoni (openid2), trustbearer saml2 native for their various govt clients (openid2), uk academia experiment (openid1 - at the outset)

The us shib community had easy access to partial openid1 support at some point. Any chance it now works now (ie I can try it to talk to pbwiki) AND it talks to the uk academic openid gateway (if operational)?



-----Original Message-----
From: Joss Winn <jwinn at lincoln.ac.uk>
Sent: Sunday, December 21, 2008 12:22 AM
To: Peter Williams <pwilliams at rapattoni.com>; chris.messina at gmail.com <chris.messina at gmail.com>; general at openid.net <general at openid.net>
Subject: RE: [OpenID] Fwd: Several Questions for the Current & Future Board


-----Original Message-----
From: general-bounces at openid.net on behalf of Peter Williams
Sent: Sat 12/20/2008 20:20
To: chris.messina at gmail.com; general at openid.net
Subject: Re: [OpenID] Fwd: Several Questions for the Current & Future Board

UKG apparently spent public money at the university of kent on openid, last year. Do we have access to its final report and the data and the experimental setup and the list of piloting sites and the contacts...? Betcha anything certain board members had access (or had access to its penultimate draft at least)! I'd love to see the results. Doubt I ever will.

Hello. Just joined this list so I might have misunderstood what you're referring to.

Is this the report you're looking for, published on the 9th December? A joint project between Universities of Edinburgh and Kent:

http://www.jisc.ac.uk/publications/publications/openidfinalreport.aspx
http://www.jisc.ac.uk/media/documents/programmes/einfrastructure/openid-finalreport-v1.0.pdf

You'll see they've created an OpenID Shibboleth Gateway for demo purposes as well as providing a design summary.

Cheers
Joss

--
Joss Winn
Technology Officer
Centre for Educational Research & Development
University of Lincoln
Brayford Pool
Lincoln
LN6 7TS

http://learninglab.lincoln.ac.uk/blogs/joss
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list