[OpenID] Fwd: Several Questions for the Current & Future Board

Peter Williams pwilliams at rapattoni.com
Sun Dec 21 23:48:31 UTC 2008 

Thanks google. I read the report on my html capable phone. Worked reasonably (though crashed the windows os, eventually).

There are 12 users of the service in total. What they may access, if there is anything, are assets of no perceived value. Its not clear if there is a single blog/wiki operational and authenticating (the bridge-managed) comments.

It  took a month to build the gateway, due to the difficulties of dealing with the uk shib administrative apparatus. (trustbearer and rapattoni took less than 36h, albeit with a peer-peer management concept, to add openid2 logon to gmail, in a $50 google apps managed domain)

A lot of the review is premised on turning the existing uk control structure for shib sites into a trust famework to mitigate the downsides of openid's unadulterated uci model.

There is some evidence of new work on building out trust overlays for the openid op to saml sp bridging (in much the same way that trust overlays in spanning trees networks for MAN-scale ethernets address arp and dhcp poisening, or pvlans enforcement across vlans)

There was no evidence that uk academics would ever value or allow authenticated comments on uk blog sites (whether valuable or not). Itsnot obvoius that an shib idp was ever bridged to help verifu an authenticated comment to a blogger site, or logon to pbwiki or plaxo.

There was little or no analysis of the security properties of xri resolvers or the proxy resolver and the relation of this query infrastructure when proving an openid-native trust overlay apparatus to openid sp sites. The role of
hxri seems to have been underestimated or ignored.

There was obsessive comparison of openid auth and ax with saml1/saml2 websso and the shib implementation's value add to the saml standard. This was generally even in tone, as the review goal seemed to focus on how one might leverage the  shib control framework to  create a trust overlay for openid op sites. No analysis was given of the suitability of shib's own metadata-centric models for this function.

The relationship of openid auth protocol to https (namespace controls and pki) was lacking analysis. There was little evidene of a review of the sp discovery mode for automated realm validation (and assertion release control).

There is evidence that the review started with preconceptions originated in a previous us-based openid1/shib effort, did some some interesting basic university research on trust overlays during gatewaying/bridging, spent nearly 5K per user to do few or no actual trials serving an unwilling uncooperative community, and performed a qualitative risk analysis with scenarios tuned to a community well entrenched in saml (and specifically shib) based websso.


--------

If the goal of reporting is to prompt someone else to have an idea and get off their ass to design an experiment to test it, the report worked. I want to go now try having the saml2 sp petition the bridge (albeit my own) for a new nameid format (beyond the std transient and persistent formats formulated by oasis) when using the saml2 nameid service to map the federated-name stored at the idp/op into an openid (https) url accepted by the sp. As part of formal sp affiliations, the success of the later overlay-mapping will act as a trust overlay for the other sp sites in tht affilation group. One thus applies sp-centric federation models from saml to the bridging problem between openid2 and saml2.

In summary, I think that was worth ~100k dollars. At the same time it will obviously serve to reinforce certain prejudices. These remind of a previous janet world, which rejected native ip  and core/edge based routing too.


-----Original Message-----
From: SitG Admin <sysadmin at shadowsinthegarden.com>
Sent: Sunday, December 21, 2008 12:33 PM
To: Peter Williams <pwilliams at rapattoni.com>
Cc: general at openid.net <general at openid.net>
Subject: Re: [OpenID] Fwd: Several Questions for the Current & Future Board


>When I get a pc that can read pdf,

Google "site:jisc.ac.uk openid pdf" (without the quotes). Third down,
look for "View as HTML".

>As we just saw, one rp just willingly added cacert into its pot of
>cas, and showcased how  openid discovery can be easily spoofed -
>even in openid https modes. While the specs admit and counter these
>vulnerabilities using spec-ese, the movement is more generally
>failing to articulate how adopting parties can address these issues
>practically  - without losing site of the movements lofty uci goals
>(users choose their own op).

Lofty, but impractical (as things currently stand), goals. The
problem with users determining their own identity (and
voucher/representative, to the rest of the (digital) world), is that
they then have *power* but currently (for the large part) are not
equipped or prepared to be *responsible* for it. Ultimately, this is
the anvil upon which our ideals will be forged or shattered - can we
educate users enough to bring *them* (not just our technology) into
the next stage of the web, or will be we forced to keep the power of
OpenID OUT of the hands of users because they cannot be trusted to
use it properly?

-Shade

More information about the general mailing list