[OpenID] 2-Headed OpenID Auth for Increased Security?

Peter Williams pwilliams at rapattoni.com
Sat Nov 29 20:32:54 UTC 2008 

I was taught this (general) business nearly 15 years ago by someone who insisted we learned to write up the specific threats/countermeasures facing CAs/OPs/IDPs in their mission formally ...as ITSEC (nowadays: common criteria) controls. Then, he (being an advanced student of the art) showed how one could up the constraints formally (using a formal functional language called Z, which allowed theorem proving in relatively popular algebra). The hardest constraint to capture, specific to TTPs, concerning the (ITSEC) threat of "abuse of system high privileges" (and then "abuse of delegated namespace rights"). These two characterizations were deemed sufficient to address the "security objective" dealing with the problem of "mutual suspicion between authorities"

This is where PKI comes into its own, where - in a network of such authorities who must address the "mutual suspicion" (that an insider operating another authority will exploit the system high privilege to abuse their authority level) - the imposition of a graph of (a) namespace delegation and (b) formal asymmetric key management controls allows one to address the main risks flowing from the mutual suspicion of authorities object.

UsingX.509  PKI (or any XML metadata doing the same job as PKI) the risks are usually addressed  in a quite intuitive way: 1. that the authority is given only limited scope to do damage (and the namespace controls represent that scope), and 2. the asymmetric key management controls concerning 'authority compromise handling' can not only remove the keys of the  malevolent authority from use in the trust system but also one can demonstrate that the distributed network of cooperating authorities can QUICKLY purge from the overall system all keys/names issued by the malevolent authority, within its naming scope.

This is not a  new problem, and its well researched academically (and in formal security analysis for a high-assurance military/intel systems)

Operational controls such as dual key arming, multi-key escrow, n of m key splitting, countersigning by n authorities... address failure modes of the system - and allow an evaluator to give a rating to the system's ability to perform "trusted recovery". This is not the same issue set as those issues associated  with mutual suspicion.


From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of David Fuelling
Sent: Saturday, November 29, 2008 10:42 AM
To: OpenID List
Subject: [OpenID] 2-Headed OpenID Auth for Increased Security?

Hey List,
One issue that I keep coming back to is that my OP (or a rogue employee at my OP) could masquerade as me at OpenID-enabled RP's across the web since the OP is a single authentication point in the OpenID ecosystem.

I suppose there are several ways to make this happen, but I'd appreciate any feedback on this idea...


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081129/86d85fc0/attachment-0002.htm>

More information about the general mailing list