[OpenID] Selectively Redirecting OpenID Traffic To HTTPS
Peter Williams
pwilliams at rapattoni.com
Sun Jan 13 06:34:17 UTC 2008
Im thinking more in terms of standards evolution, than today's deployment.
Lets assume openid takes off as an SSO standard for the web -- and starts to protect even semi-critical infrasrtucture. We have to be able to rationalize the protection mechanisms of openid in standard terms. In the case of the issue you noted, that rationalization will need to address how one would methodicically demonstrate how 'discovery over https" ensures the policy of the parties relying on one of the given virtual OPs in the multi-policy-domain OP server.
________________________________
From: Cameron King [mailto:cameron at uniquekings.com]
Sent: Sat 1/12/2008 9:05 PM
To: Peter Williams
Cc: Eddy Nigg (StartCom Ltd.); general at openid.net
Subject: Re: [OpenID] Selectively Redirecting OpenID Traffic To HTTPS
Well, you've just given me a few more things to look into as I'm not
already familiar with the topics you've just brought up. +MISSI +B3
isn't helping me much in Google though. Could you email me some links I
can use to become more familiar on the topic?
While I'm not sure that either of these are in the realm of possibility
for your average net user trying to setup his vhosted blog to delegate
an OpenID, these options might be very appealing to a larger company who
wants to SSL enable all their OpenIDs.
Peter Williams wrote:
> There would seem to be two, obvious architected approaches to the underlying assurance issues for multiple OPs operating in a virtual https context (wildcard SSL certs, vs load balanced clusters relying on SSL session de/multiplexing):-
>
> 1. A MISSI-based B3-grade general-purpose server system, in which the crypto of each openid OP is keyed/controlled by a distinct policy authority asociated with one PKI (controlling via certs how reliance is performed in that partitioned distibuted community), with the B3 principles on the virutal host ensuring that protection domains and security domain design principles properly seperate the OPs from each other when handling messages
>
> 2. A OpenId Server supportiing virtual OPs addresses the requirements of http://www.niap-ccevs.org/pp/draft_pps/pp_draft_skpp_hr_v0.621.pdf - where crypto is just a bit of signing/verification/keyexchange rather than a control system providing for seperation. The assurance comes from the design of the kernel, upon which one must ultimate rely.
>
> Depending which side of the assurance wars you fall into (NSA crypto-based assurance, or DARPA/USNavyHA trusted OS assurance), you can choose your own poison.
>
> ________________________________
>
> From: general-bounces at openid.net on behalf of Cameron King
>
> By vhosts I mean name-based virtual hosting. Most hosting providers do
> not give each user their own IP address and certificate. Often the
> added cost of a SSL-enabled hosting plan (expecially a wildcard
> certificate) can be substantial compared to the otherwise low cost of
> hosting. We wouldn't want to make SSL a requirement if we are shooting
> for high adoption rates.
> ...
>
> Eddy Nigg (StartCom Ltd.) wrote:
>> What do you mean by "vhosts"? Something like user.domain.com? In which
>> case a wild card certificate would do the trick...but also
>> domain.com/user is a valid approach for openid.
>>
>> Cameron King wrote:
>>> ...
>>> My only real concern with having https be the default protocol for
>>> OpenIDs is that vhosted sites who want to delegate become more
>>> complicated - probably requiring a plan upgrade just for that SSL and
>>> dedicated IP. We can't easily "autodetect" either without causing
>>> spoofing issues on vhosts.
>>> ...
>>>
>>> Eddy Nigg (StartCom Ltd.) wrote:
>>>> Well, I suggested that more than a year ago just to get booed down...it
>>>> really should be part of the policy
>>>>
>>>> Sean Reilly wrote:
>>>>> I think the point is that OpenIDs should start with https: so that
>>>>> there is no http->https redirection needed. If any step of the
>>>>> process goes through a normal http exchange/redirect then there is a
>>>>> weak link in the chain where a bad guy could take over the
>>>>> authentication.
--
Cameron King
More information about the general
mailing list