[OpenID] OpenID as state-issued ID

[SitG Admin]

FYI, Nathan - the list distributes posts with a Reply-To of the 
person who sent it, not the list address, so you'll have to Reply To 
All or manually cc the list if you want everyone else to see it. 
(I've copied your replies to me into this post, so everyone else can 
see the full context and you won't have to resend those.)

>What concerns me is the security on the whole bit. Now I can see that What I
>said def. hit a nerve because I've been blown up with emails about it.

Don't mistake criticism for anger. The position you're taking *will* 
be subjected to a lot of attacks, because it's largely inapplicable 
to OpenID, but you shouldn't be seeing any attacks on you 
*personally*.

If you see it that way, I can only recommend taking a less 
confrontational approach to all this; if you think of yourself as 
asking a question rather than telling us what's what, you won't have 
primed yourself to be so sensitive to disagreement. It's also more 
polite - when you charge into a list that you've never posted on 
before (especially one that's been active for over 2 years, with such 
qualified members) and essentially tell them that they haven't 
thought about it and they need to reconsider it, it borders on being 
offensive to their intelligence. Do you really think none of this has 
occurred to us before? Conversely, if it has (but we're still doing 
this), do you really think we'd *care*? ;)

There are also practical reasons for bringing your concerns to our 
awareness without implying that it's hopeless or that the project 
should just be abandoned. I could easily write a critique of motor 
vehicles, complaining that someone might leap out in front and get 
run over before its forward motion ceased to carry it forward, and 
that in the case of a sudden stop for *any* reason physics would 
result in anyone inside flying forward through the windshield. Note 
that BOTH of these "flaws" have been easily addressed through the use 
of precautions that are now present in *every* vehicle: the 
"seatbelt" and "brake" security measures. I assure you that we did 
NOT get to this point in the development of motor vehicles by saying 
that the foreseeable risks were grounds for abandoning the whole idea!

You are not the only one here capable of intelligent thought. We have 
considered these problems before, and, if you simply ask yourself how 
such problems might be avoided, you will have taken the first step on 
the path of actually solving them. If you find yourself stumped, I 
suggest asking those who have spent significant amounts of their 
lifetime working on such problems, since we are unlikely to give up 
on security and privacy merely because we cannot immediately surmount 
an obstacle, and were thus more likely to have persevered long enough 
to solve those problems.

>The thing is if you start giving people a static bit of information that
>links back to that person. (Much like a "State ID" or a "Drivers License"
>does.) You risk that same bit of information giving access to much more
>information.

True, but not necessarily a quality of OpenID. It is possible to 
anonymously acquire a webpage (no registration with DNS), giving you 
an ID, but not linking back to the real-life *you* in any way. It is, 
in the same way, possible to acquire *many* webpages, each of them 
isolated from the others, giving you *many* OpenID's, NONE of which 
are connected to you or to each-other.

>You cannot sit there and tell me that where those login details
>are used there won't be a record of it.

Can it be absolutely guaranteed, so that the user KNOWS it? No. But 
can it be done? Yes. Sites can be set up to log you in without 
recording the visit. My own site's design purposefully protects each 
user's identity from being seen by other visitors to the site.

>I personally will probably never
>use OPEN ID because I don't believe that a person should be labeled and
>stamped with a barcode on the internet. And that is exactly what you guys
>are talking about doing.

This may be our current topic of discussion (was it? I hadn't been 
aware that we were discussing such things - I thought most of the 
recent messages were about user interface/experience), but it is not 
what OpenID is about. If you think you have read that somewhere 
off-list, I suggest that you cite your sources so we can either 
clarify what we were talking about or point you at sources that we've 
actually *written* instead of reports by some confused 3rd party.

>As I said before I like that you are trying to make
>the whole internet login to websites bit much easier on the users. Only
>having to remember one username and password. That's great.

That's only a small part of what we're about, actually. The main 
feature of OpenID is *decentralization*: not having your digital 
Identity expire just because the company that was responsible for 
maintaining it suddenly went out of business or became corrupt. 
Decoupling identity from the sites that deal with it.

You shouldn't have to remember *any* username and password, and this 
has nothing to do with OpenID: you could be using biometrics and 
smart-cards and other technology to authenticate yourself, not 
relying on your E-mail provider to keep *that* account's username and 
password secure so noone can break into it and steal all your *other* 
accounts.

>But the problem
>is, all I'd have to do is snatch that person OPEN ID and bam I have access
>to EVERYTHING.

This has some validity, but it's been anticipated since the earliest 
days. We do have solutions in place, first and foremost being the 
"only use one OpenID per site" technique mentioned earlier.

>And face it there will be absolutely no way for you guys to
>stop this from happening.

Ah, crud. You're right. Let's face reality, there absolutely cannot 
ever be any way in the future that this could be prevented. We'd 
better just admit defeat now, and go home.

That was sarcasm. You may have noticed a lot of fuss lately about 
voting fraud? Sucks, but what can we do about it? Well, 
surprisingly(?), that wasn't a rhetorical question to some folks. 
Back in 2006, the National Science Foundation (whose initials are 
giving me chills - I blame Deus Ex) sponsored an academic competition 
to determine the best open-source voting system.

I bring up this specific example because the preservation of 
anonymity was a value there, too - and not only is it important (in 
voting) to protect voters' identity from third parties (to prevent 
retaliation for votes), but also the *voter* (user) must be unable to 
prove which way they voted (so they cannot demonstrate it to those 
who are "buying votes"), and they've managed to achieve this 
*without* sacrificing transparency or accountability!

Now, if they can do that, is it really beyond imagination that we 
might some day be able to do much less?

>They can't even stop peoples bank accounts from getting hacked.

You really shouldn't generalize this way. How much of this "hacking" 
is strictly due to the authentication method being used?

How much of it is "phishing", where the user is tricked into entering 
their password at an attacker's site? (OpenID *is* addressing this, 
or at least there are discussions on the topic currently; a 
consistent user experience isn't limited to just OpenID, either.)

How much is due to an "inside job", where someone at the bank 
withdraws the money directly from your account instead of logging in? 
(No authentication method will help you with this.)

How much is due to a "backdoor" or someone hacking the bank itself? 
(Backdoors bypass authentication. An attacker exploiting a flaw in 
the bank's web software to execute a withdrawal without permission is 
also not checking for authentication.)

How much is due to a keylogger or packetsniffer on the user's 
computer, recording passwords or whatever biometric data goes out to 
enable replay attacks? (The authentication method can't detect this, 
and no amount of anti-virus software will warn you that someone is 
"shoulder-surfing" by standing just behind you and peeking over at 
the screen or keyboard.)

How much is due to common words/phrases being used as passwords, 
easily guessed by a "dictionary" attack or even a brute-force attack? 
(Good "best-practices" are to prevent the user from generating such 
passwords and to check for successive failures, but - again - OpenID 
doesn't have to use passwords.)

There are A LOT of different ways a bank account might be broken 
into. Most of them have nothing to do with the authentication method. 
In any case, who is this "they" we can't possibly hope to do better 
than?

>Let me put it like this. What is easier to
>do. Go around a city and pick up one piece of trash at a time, Or, just go
>to the dump and pick it all up at once?? Your taking what used to be a lot
>of sensitive information and consolidating it so it makes a hackers job
>easier.

How are we consolidating it? Did the owner of a blog I just logged 
into to leave a comment on, acquire all my personal information? Or 
are we talking about the OP, which handles authentication for me, 
keeping all of this information in one place? Why *does* my OP even 
*have* all of this information, anyway? Why did I find it necessary 
to fill out information that was entirely optional and which I 
foresaw no need to share with any other site?

Let me make this clear: the sites I log into have exactly one piece 
of information, 'http://shadowsinthegarden.com' - that's me, that's 
all they know. If they want to know anything else, they'll have to 
*ask* me, because I'm sure as heck not divulging it automatically 
through my OP!

And, come to that, it's *my* OP. I can code it (and Apache's logs) to 
retain NO information about where I've been, about which sites I've 
authenticated to - or I can have it encrypt that data with a public 
key and E-mail it to one of my addresses or simply post it online 
(secure, in both cases, in the knowledge that only *my* computer has 
the private key to view this information), if I'm worried about 
hackers deleting the encrypted logs so I can't see their contents.

>The only way this stuff will ever work properly, Is if every PC on
>earth is equipped with a biometric DNA reader.

Biometrics are notoriously easy to fool, and DNA can be taken in a 
number of different ways - most of which just invite an attacker to 
steal part of your body so they can fool the system. It's like 
handcuffing a briefcase to your wrist - determined enough thieves 
will simply chop off your hand and run off with the goods anyway, 
while you're screaming and, by the way, no longer have a hand.

>And even then there will be ways around it. What would make me feel better

Bruce Schneier calls this "security theatre" - motions that let users 
*feel* better about their security, without actually *doing* anything 
about the problems.

>is if you referenced back the login to match up with the users IP. Making

It is SO easy to spoof IP addresses that this is next to meaningless.

>only the users home IP allowed to access the login.

This is an additional problem - lots of users still have dialup, and 
thus tend to frequently *change* IP's; what are we going to do, deny 
users access whenever they reconnect to their ISP or (have to) 
restart their cable/DSL modem?

>But something like that would significantly reduce the chances of
>a hacker being able to USE your login details. They still may be able to
>snatch it. But unless they have that users home address and a way onto their
>network the information is useless.

So, what you're imagining is more like two-way SSL authentication, 
where that user's network is the only legitimate source for logins, 
and it's kept track of "by the internet" instead of being on the 
user's computer where that same key can be stolen by hackers? (Never 
mind that the *internet* itself is made up of many different 
computers, albeit extremely specialized, any of which might be 
vulnerable to attack - even *more* vulnerable than the user's 
computer is.)

The hacker doesn't need your home address, though - physical topology 
is irrelevant, in this case, to network topology. They just need to 
put a virus on your machine to log in as you (from your network) for 
them, and that's what you seem to be addressing.

-Shade

At 4:32 PM -0400 10/21/08, Nathan wrote:
>And what misapprehensions would that be?
>
>-----Original Message-----
>From: SitG Admin [mailto:sysadmin at shadowsinthegarden.com]
>Sent: Tuesday, October 21, 2008 4:04 PM
>To: Nathan
>Cc: general at openid.net
>Subject: Re: [OpenID] FW: general Digest, Vol 26, Issue 57
>
>>I just want to add that I like where you guys are Trying to go with all
>>of this.
>
>Considering the number of misapprehensions in your message, I really have to
>question just exactly where you think we ARE going with all this ;)
>
>-Shade

At 5:02 PM -0400 10/21/08, Nathan wrote:
>Ok so maybe I wasn't clearly expressing my concerns.
>
>What concerns me is the security on the whole bit. Now I can see that What I
>said def. hit a nerve because I've been blown up with emails about it.
>
>The thing is if you start giving people a static bit of information that
>links back to that person. (Much like a "State ID" or a "Drivers License"
>does.) You risk that same bit of information giving access to much more
>information. You cannot sit there and tell me that where those login details
>are used there won't be a record of it. And then so what responsibility is
>given to those in charge of these records.  I personally will probably never
>use OPEN ID because I don't believe that a person should be labeled and
>stamped with a barcode on the internet. And that is exactly what you guys
>are talking about doing. As I said before I like that you are trying to make
>the whole internet login to websites bit much easier on the users. Only
>having to remember one username and password. That's great. But the problem
>is, all I'd have to do is snatch that person OPEN ID and bam I have access
>to EVERYTHING. And face it there will be absolutely no way for you guys to
>stop this from happening.
>They can't even stop peoples bank accounts from getting hacked. What makes
>you think the same won't happen. Let me put it like this. What is easier to
>do. Go around a city and pick up one piece of trash at a time, Or, just go
>to the dump and pick it all up at once?? Your taking what used to be a lot
>of sensitive information and consolidating it so it makes a hackers job
>easier. The only way this stuff will ever work properly, Is if every PC on
>earth is equipped with a biometric DNA reader.
>And even then there will be ways around it. What would make me feel better
>is if you referenced back the login to match up with the users IP. Making
>only the users home IP allowed to access the login.
>Granted this stinks for mobile users or users trying to do things from other
>locations. But something like that would significantly reduce the chances of
>a hacker being able to USE your login details. They still may be able to
>snatch it. But unless they have that users home address and a way onto their
>network the information is useless. I'm just concerned about the whole
>thing. The consolidation of all those pieces just seems like way to much of
>a security risk.
>
>-----Original Message-----
>From: SitG Admin [mailto:sysadmin at shadowsinthegarden.com]
>Sent: Tuesday, October 21, 2008 4:32 PM
>To: Nathan
>Cc: general at openid.net
>Subject: [OpenID] Re: OpenID as state-issued ID
>
>>this. But Do we really want to put an ID system on the internet?? To me
>>this screams "Drivers License" or "State ID" only your trying to do this
>online.
>
>It's interesting that you should use those as analogies, considering they
>don't support ANY of the concerns you've expressed:
>
>>That is an extremely scary thought. I don't want to login to my
>>favorite porn site or whatever kind of site and have website owner
>>immediately have all of my personal information.
>
>How does a driver's license or state ID give someone access to ALL your
>personal information? Are states in the habit now of printing E-mail
>addresses, home addresses, phone numbers, and your medical details on the ID
>card? For the record, mine has a P.O. box - about the most you can learn
>from it (that wouldn't be obvious just from
>*looking* at me) is the DoB.
>
>>Or for that matter how do you plan on
>>keeping users of the open ID from tracking peoples website visiting habits?
>
>I didn't realize we lived in a police state already - I regularly go to
>various locations, and NOONE demands (or even asks) that I show them my ID
>(for this reason, I don't even *carry* any ID with me, usually), so it's
>quite impossible for people at those locations to figure out where else I've
>been.
>
>(Well, technically not *impossible*, but at that point it's a spurious
>argument - the ID card can't possibly be how they're tracking me, so it's
>fallacious to imply a connection.)
>
>And even if they *did* demand my ID, so what? Are they going to mark it with
>some special non-removable tag that shows *other* stores (possibly their
>competitors!) where I've been? How do they force me to return there so they
>can read the tags which their competitors'
>stores, presumably, have been adding?
>
>In other words, how do they force the ID to be associated with other
>locations and how do they find out this information after it's been updated?
>
>-Shade