[OpenID] OpenID architecture critiques? Re: Too many providers...

Paul Madsen paulmadsen at rogers.com
Wed Sep 17 20:30:27 UTC 2008 

Peter, I'm not going to make blanket statements about the applicability of OpenID (or any authentication technology) to particular classes of use cases. OMB/NIST got there first.

I will claim as a principle that the level of assurance engendered by proofing, registration, and authentication, etc should be commensurate with that provided by the assertion protocol. And that applies to SAML Web SSO profile, WS-Fed, Infocards, etc

regards

paul

 -- 
Paul Madsen                                              e:paulmadsen @ ntt-at.com
NTT                                                                   p:613-482-0432
                                                       m:613-302-1428
                                                       aim:PaulMdsn5
                                                       web:connectid.blogspot.com



----- Original Message ----
From: Peter Williams <pwilliams at rapattoni.com>
To: Paul Madsen <paulmadsen at rogers.com>; Peter <peterw at tux.org>
Cc: "general at openid.net" <general at openid.net>
Sent: Wednesday, September 17, 2008 4:06:15 PM
Subject: RE: [OpenID] OpenID architecture critiques? Re: Too many providers...

So...we have the creationists on the list.

I gave a long list of cca applications. Was cca a use case that the design addressed?

When one uses openid to logon to the concordia mediawiki, was this use part of the concept?

Is there anything inappropriate about using openid2 for mediawiki logon?

Should openid (of any quality, and user auth strength) never be used on a wiki doing acess contolled business activities (eg one of the business groupware wikis provided by the pbwiki firm)?

________________________________
From: Paul Madsen <paulmadsen at rogers.com>
Sent: Wednesday, September 17, 2008 12:56 PM
To: Peter Williams <pwilliams at rapattoni.com>; Peter <peterw at tux.org>
Cc: general at openid.net <general at openid.net>
Subject: Re: [OpenID] OpenID architecture critiques? Re: Too many providers...

every creation story I've ever seen for OpenID has emphasized  blog commenting.

Wrt HealthVault, Microsoft themselves seem somewhat ambivalent - appearing to place the burden of security review  (of both OpenID and OPs) on users

https://account.healthvault.com/help.aspx?topicid=faq#OpenIDProviders

paul
--
Paul Madsen                                  e:paulmadsen @ ntt-at.com
NTT                                               p:613-482-0432
                                                       m:613-302-1428
                                                       aim:PaulMdsn5
                                                       web:connectid.blogspot.com


----- Original Message ----
From: Peter Williams <pwilliams at rapattoni.com>
To: Paul Madsen <paulmadsen at rogers.com>; Peter <peterw at tux.org>
Cc: "general at openid.net" <general at openid.net>
Sent: Wednesday, September 17, 2008 3:27:59 PM
Subject: RE: [OpenID] OpenID architecture critiques? Re: Too many providers...

Out of interest, what were the use cases?

I've forgotten the name of the cissp who wrote the openid book, but I recall his take: cca (cross company authentication) and blog commenting.

For cca, one has myopenid as the gold standard (in outsourcing the op side of cca) and then there is/was plaxo as the gold standard consumer (since you account link several openids to the localuserid). For blogging, id pose google/blogger as the stand ard reference of using openid to get authication of comments, and yahoo as the classical reference on how to be an op in the world ofmega portals.

In the web2.0 world, we then had magnolia (notable for having no localids) and claimid (notable for tagging documents you want to assert authorship of).

In the (paradoxical) higher assrance space (that liberty folk essentially question if even should really exist) we have microsoft heath vault service maintaing your sensitive health record confentiality, accepting openids from (only) trustbearer (who require strong user auth using dod cac smartcard, usfed piv card, or other javacard/globalplatform smartcard with decent rsa crypto strength (and fips 140-1 and cc assurance, ideally, on the soc in the chip and the id/keymanagement applets/firmware)

________________________________
From: Paul Madsen <paulmadsen at rogers.com<mailto:paulmadsen at rogers.com>>
Sent: Wednesday, September 17, 2008 11:42 AM
To: Peter <peterw at tux.org<mailto:peterw at tux.org>>; Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>>
Cc: general at openid.net<mailto:general at openid.net> <general at openid.net<mailto:general at openid.net>>
Subject: Re: [OpenID] OpenID architecture critiques? Re: Too many providers...

This comparison is not specific to security, but does address it

http://identitymeme.org/doc/draft-hodges-saml-openid-compare-06.html

paul

p.s. I am a SAML/Liberty participant. I would not argue that OpenID provides 'no' assurance - rather that it can provide a level of assurance appropriate to the use cases that drove its development. I know of no SAML advocate that would claim more than this correspondence for SAML.

--
Paul Madsen                                  e:paulmadsen @ ntt-at.com
NTT                                              p:613-482-0432
                                                      m:613-302-1428
                                                      aim:PaulMdsn5
                                                      web:connectid.blogspot.com


----- Original Message ----
From: Peter <peterw at tux.org<mailto:peterw at tux.org>>
To: Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>>
Cc: "general at openid.net<mailto:general at openid.net>" <general at openid.net<mailto:general at openid.net>>
Sent: Wednesday, September 17, 2008 2:19:46 PM
Subject: [OpenID] OpenID architecture critiques? Re: Too many providers...


Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com><mailto:pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>>> wrote:
> Folks in the liberty alliance message (openly and convincingly)
> that openid cannot ever - inherently - be used for any purpose
> requiring "assurance". They point to the  undisputed claim that
> the open designers knowingly made design tradeoffs in the crypto
> handshake and security critical securty service composition rules,
> so as to make it all easy to deploy and adopt. Because of this
> precept, openid cannot even *be* fixed (since low assurance is the
> actual goal).

As someone who's moving towards integrating OpenID (RP and OP) into his
employer's web apps, I would very much appreciate URLs to such critiques.

>From what I see, the most glaring problem is that some "major sites" that
act as OPs (Flickr, AOL, etc.) still do not have https:// identity URLs, so
RPs cannot leverage cheap, ubiqitous SSL/TLS PKI to help thwart the more
obvious DNS and MITM/phishing attacks.

BTW, whoever maintains http://openid.net/get/ should probably change the
Yahoo information to "https://me.yahoo.com/" since that works and, unlike
http://openid.yahoo.com/, uses SSL/TLS.

Thanks,

Peter

_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net><mailto:general at openid.net<mailto:general at openid.net>>
http://openid.net/mailman/listinfo/general
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080917/bc753fd5/attachment-0001.htm>

More information about the general mailing list