[OpenID] OpenID architecture critiques? Re: Too many providers...

Paul Madsen paulmadsen at rogers.com
Wed Sep 17 18:42:33 UTC 2008 

This comparison is not specific to security, but does address it

http://identitymeme.org/doc/draft-hodges-saml-openid-compare-06.html

paul

p.s. I am a SAML/Liberty participant. I would not argue that OpenID provides 'no' assurance - rather that it can provide a level of assurance appropriate to the use cases that drove its development. I know of no SAML advocate that would claim more than this correspondence for SAML.

 -- 
Paul Madsen                                              e:paulmadsen @ ntt-at.com
NTT                                                                   p:613-482-0432
                                                       m:613-302-1428
                                                       aim:PaulMdsn5
                                                       web:connectid.blogspot.com



----- Original Message ----
From: Peter <peterw at tux.org>
To: Peter Williams <pwilliams at rapattoni.com>
Cc: "general at openid.net" <general at openid.net>
Sent: Wednesday, September 17, 2008 2:19:46 PM
Subject: [OpenID] OpenID architecture critiques? Re: Too many providers...


Peter Williams <pwilliams at rapattoni.com> wrote:
> Folks in the liberty alliance message (openly and convincingly)  
> that openid cannot ever - inherently - be used for any purpose 
> requiring "assurance". They point to the  undisputed claim that 
> the open designers knowingly made design tradeoffs in the crypto 
> handshake and security critical securty service composition rules, 
> so as to make it all easy to deploy and adopt. Because of this 
> precept, openid cannot even *be* fixed (since low assurance is the 
> actual goal).

As someone who's moving towards integrating OpenID (RP and OP) into his
employer's web apps, I would very much appreciate URLs to such critiques. 

>From what I see, the most glaring problem is that some "major sites" that
act as OPs (Flickr, AOL, etc.) still do not have https:// identity URLs, so
RPs cannot leverage cheap, ubiqitous SSL/TLS PKI to help thwart the more
obvious DNS and MITM/phishing attacks. 

BTW, whoever maintains http://openid.net/get/ should probably change the
Yahoo information to "https://me.yahoo.com/" since that works and, unlike
http://openid.yahoo.com/, uses SSL/TLS.

Thanks,

Peter

_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080917/29443385/attachment-0001.htm>

More information about the general mailing list