[OpenID] OpenID architecture critiques? Re: Too many providers...
Peter Williams
pwilliams at rapattoni.com
Wed Sep 17 19:27:59 UTC 2008
Out of interest, what were the use cases?
I've forgotten the name of the cissp who wrote the openid book, but I recall his take: cca (cross company authentication) and blog commenting.
For cca, one has myopenid as the gold standard (in outsourcing the op side of cca) and then there is/was plaxo as the gold standard consumer (since you account link several openids to the localuserid). For blogging, id pose google/blogger as the stand ard reference of using openid to get authication of comments, and yahoo as the classical reference on how to be an op in the world ofmega portals.
In the web2.0 world, we then had magnolia (notable for having no localids) and claimid (notable for tagging documents you want to assert authorship of).
In the (paradoxical) higher assrance space (that liberty folk essentially question if even should really exist) we have microsoft heath vault service maintaing your sensitive health record confentiality, accepting openids from (only) trustbearer (who require strong user auth using dod cac smartcard, usfed piv card, or other javacard/globalplatform smartcard with decent rsa crypto strength (and fips 140-1 and cc assurance, ideally, on the soc in the chip and the id/keymanagement applets/firmware)
________________________________
From: Paul Madsen <paulmadsen at rogers.com>
Sent: Wednesday, September 17, 2008 11:42 AM
To: Peter <peterw at tux.org>; Peter Williams <pwilliams at rapattoni.com>
Cc: general at openid.net <general at openid.net>
Subject: Re: [OpenID] OpenID architecture critiques? Re: Too many providers...
This comparison is not specific to security, but does address it
http://identitymeme.org/doc/draft-hodges-saml-openid-compare-06.html
paul
p.s. I am a SAML/Liberty participant. I would not argue that OpenID provides 'no' assurance - rather that it can provide a level of assurance appropriate to the use cases that drove its development. I know of no SAML advocate that would claim more than this correspondence for SAML.
--
Paul Madsen e:paulmadsen @ ntt-at.com
NTT p:613-482-0432
m:613-302-1428
aim:PaulMdsn5
web:connectid.blogspot.com
----- Original Message ----
From: Peter <peterw at tux.org>
To: Peter Williams <pwilliams at rapattoni.com>
Cc: "general at openid.net" <general at openid.net>
Sent: Wednesday, September 17, 2008 2:19:46 PM
Subject: [OpenID] OpenID architecture critiques? Re: Too many providers...
Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>> wrote:
> Folks in the liberty alliance message (openly and convincingly)
> that openid cannot ever - inherently - be used for any purpose
> requiring "assurance". They point to the undisputed claim that
> the open designers knowingly made design tradeoffs in the crypto
> handshake and security critical securty service composition rules,
> so as to make it all easy to deploy and adopt. Because of this
> precept, openid cannot even *be* fixed (since low assurance is the
> actual goal).
As someone who's moving towards integrating OpenID (RP and OP) into his
employer's web apps, I would very much appreciate URLs to such critiques.
>From what I see, the most glaring problem is that some "major sites" that
act as OPs (Flickr, AOL, etc.) still do not have https:// identity URLs, so
RPs cannot leverage cheap, ubiqitous SSL/TLS PKI to help thwart the more
obvious DNS and MITM/phishing attacks.
BTW, whoever maintains http://openid.net/get/ should probably change the
Yahoo information to "https://me.yahoo.com/" since that works and, unlike
http://openid.yahoo.com/, uses SSL/TLS.
Thanks,
Peter
_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net>
http://openid.net/mailman/listinfo/general
More information about the general
mailing list