[OpenID] OpenID architecture critiques? Re: Too many providers...
Peter Williams
pwilliams at rapattoni.com
Thu Sep 18 15:21:57 UTC 2008
Not a lot of early replies, were there? Folks need to understand that clever representations are now being made in their name as unnamed designers (that are formally 100% correct, as are a good politicians claims, until contested by analysis), that essentially message that openid is simply not adoptable for controlling any substantive business risk. The claims bases its truthfulless on a reference to lack of security feature and (this is the killer) its designer intent in that regard.
I'll write down my beliefs about certain people who we can count amongst the founding group. Never met personally means, my beliefs are drawn from general email tone, public or private. Material in [] is neither fact checked nor a formal quote attribute to the person.
Johannes (never met personally)- LID was supposed to do CCA login. [The contribution of LID to openid carried forward the CCA use case.]
Dick (never met, personally) - its nuts to actually use openid2 for websso/cca. It's not good enough for that [in design/operational culture].
David: openid is mostly about blogging and perhaps traditional wiki groupware login, as reflected in 10-20 new "openid adoptions" each day [because someone deploys an "openid-capable" software suite, like a blog suite] and 15,000 documented adoptions of myopenid's outsourcing service supportin those blog suite deployments.
I've also done de-briefs of most of the original VeriSign PIP team, since meeting David in person. This was also quite revealing about the design and review cycle, relations with the SAML component of VeriSign, since they spoke quite openly (as none continue to work for VeriSign).
I've forgotten the person's name, but someone from the UK crowd (probably) expressed the basic mission of UCI/OpenID eloquently, once: use any OP you like without fear, because you the consumer will soon move away from it when you find that folks' refusal to accept it makes it essentially useless. Such indirect, negative feedback by RPs against poor quality OPs by RPs through inconveniencing the user is apparently the basis of the assurance model, and will [would] ideally translate into the authenticated comments allowing openid to serve as a web-wide basis for addressing blogspam, once such reputation management principles are applied similarly to users.
If OpenID is to be used in consort with ws-trust protocols, or OAUTH, the perception (being essentially concertedly messaged by Liberty Alliance folk) may persist that "mere association with openid" brings down the consorting protocol to the low-assurance level inherent in very trademark "OpenID". That is, merge cardspace with openid, and you just get openid-grade cardspace.
-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Peter Williams
Sent: Wednesday, September 17, 2008 2:30 PM
To: Paul Madsen
Cc: general at openid.net
Subject: Re: [OpenID] OpenID architecture critiques? Re: Too many providers...
Im more interested in the designers view of the intent.
First, were they designing for cca?
Dd they expectations that only certain types of cca were envisaged, to only certain types of app (eg classical wiki behaviour)?
________________________________
From: Paul Madsen <paulmadsen at rogers.com>
Sent: Wednesday, September 17, 2008 1:30 PM
To: Peter Williams <pwilliams at rapattoni.com>
Cc: general at openid.net <general at openid.net>
Subject: Re: [OpenID] OpenID architecture critiques? Re: Too many providers...
Peter, I'm not going to make blanket statements about the applicability of OpenID (or any authentication technology) to particular classes of use cases. OMB/NIST got there first.
I will claim as a principle that the level of assurance engendered by proofing, registration, and authentication, etc should be commensurate with that provided by the assertion protocol. And that applies to SAML Web SSO profile, WS-Fed, Infocards, etc
regards
paul
--
Paul Madsen e:paulmadsen @ ntt-at.com
NTT p:613-482-0432
m:613-302-1428
aim:PaulMdsn5
web:connectid.blogspot.com
----- Original Message ----
From: Peter Williams <pwilliams at rapattoni.com>
To: Paul Madsen <paulmadsen at rogers.com>; Peter <peterw at tux.org>
Cc: "general at openid.net" <general at openid.net>
Sent: Wednesday, September 17, 2008 4:06:15 PM
Subject: RE: [OpenID] OpenID architecture critiques? Re: Too many providers...
So...we have the creationists on the list.
I gave a long list of cca applications. Was cca a use case that the design addressed?
When one uses openid to logon to the concordia mediawiki, was this use part of the concept?
Is there anything inappropriate about using openid2 for mediawiki logon?
Should openid (of any quality, and user auth strength) never be used on a wiki doing acess contolled business activities (eg one of the business groupware wikis provided by the pbwiki firm)?
________________________________
From: Paul Madsen <paulmadsen at rogers.com<mailto:paulmadsen at rogers.com>>
Sent: Wednesday, September 17, 2008 12:56 PM
To: Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>>; Peter <peterw at tux.org<mailto:peterw at tux.org>>
Cc: general at openid.net<mailto:general at openid.net> <general at openid.net<mailto:general at openid.net>>
Subject: Re: [OpenID] OpenID architecture critiques? Re: Too many providers...
every creation story I've ever seen for OpenID has emphasized blog commenting.
Wrt HealthVault, Microsoft themselves seem somewhat ambivalent - appearing to place the burden of security review (of both OpenID and OPs) on users
https://account.healthvault.com/help.aspx?topicid=faq#OpenIDProviders
paul
--
Paul Madsen e:paulmadsen @ ntt-at.com
NTT p:613-482-0432
m:613-302-1428
aim:PaulMdsn5
web:connectid.blogspot.com
----- Original Message ----
From: Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>>
To: Paul Madsen <paulmadsen at rogers.com<mailto:paulmadsen at rogers.com>>; Peter <peterw at tux.org<mailto:peterw at tux.org>>
Cc: "general at openid.net<mailto:general at openid.net>" <general at openid.net<mailto:general at openid.net>>
Sent: Wednesday, September 17, 2008 3:27:59 PM
Subject: RE: [OpenID] OpenID architecture critiques? Re: Too many providers...
Out of interest, what were the use cases?
I've forgotten the name of the cissp who wrote the openid book, but I recall his take: cca (cross company authentication) and blog commenting.
For cca, one has myopenid as the gold standard (in outsourcing the op side of cca) and then there is/was plaxo as the gold standard consumer (since you account link several openids to the localuserid). For blogging, id pose google/blogger as the stand ard reference of using openid to get authication of comments, and yahoo as the classical reference on how to be an op in the world ofmega portals.
In the web2.0 world, we then had magnolia (notable for having no localids) and claimid (notable for tagging documents you want to assert authorship of).
In the (paradoxical) higher assrance space (that liberty folk essentially question if even should really exist) we have microsoft heath vault service maintaing your sensitive health record confentiality, accepting openids from (only) trustbearer (who require strong user auth using dod cac smartcard, usfed piv card, or other javacard/globalplatform smartcard with decent rsa crypto strength (and fips 140-1 and cc assurance, ideally, on the soc in the chip and the id/keymanagement applets/firmware)
________________________________
From: Paul Madsen <paulmadsen at rogers.com<mailto:paulmadsen at rogers.com><mailto:paulmadsen at rogers.com<mailto:paulmadsen at rogers.com>>>
Sent: Wednesday, September 17, 2008 11:42 AM
To: Peter <peterw at tux.org<mailto:peterw at tux.org><mailto:peterw at tux.org<mailto:peterw at tux.org>>>; Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com><mailto:pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>>>
Cc: general at openid.net<mailto:general at openid.net><mailto:general at openid.net<mailto:general at openid.net>> <general at openid.net<mailto:general at openid.net><mailto:general at openid.net<mailto:general at openid.net>>>
Subject: Re: [OpenID] OpenID architecture critiques? Re: Too many providers...
This comparison is not specific to security, but does address it
http://identitymeme.org/doc/draft-hodges-saml-openid-compare-06.html
paul
p.s. I am a SAML/Liberty participant. I would not argue that OpenID provides 'no' assurance - rather that it can provide a level of assurance appropriate to the use cases that drove its development. I know of no SAML advocate that would claim more than this correspondence for SAML.
--
Paul Madsen e:paulmadsen @ ntt-at.com
NTT p:613-482-0432
m:613-302-1428
aim:PaulMdsn5
web:connectid.blogspot.com
----- Original Message ----
From: Peter <peterw at tux.org<mailto:peterw at tux.org><mailto:peterw at tux.org<mailto:peterw at tux.org>>>
To: Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com><mailto:pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>>>
Cc: "general at openid.net<mailto:general at openid.net><mailto:general at openid.net<mailto:general at openid.net>>" <general at openid.net<mailto:general at openid.net><mailto:general at openid.net<mailto:general at openid.net>>>
Sent: Wednesday, September 17, 2008 2:19:46 PM
Subject: [OpenID] OpenID architecture critiques? Re: Too many providers...
Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com><mailto:pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>><mailto:pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com><mailto:pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>>>> wrote:
> Folks in the liberty alliance message (openly and convincingly)
> that openid cannot ever - inherently - be used for any purpose
> requiring "assurance". They point to the undisputed claim that
> the open designers knowingly made design tradeoffs in the crypto
> handshake and security critical securty service composition rules,
> so as to make it all easy to deploy and adopt. Because of this
> precept, openid cannot even *be* fixed (since low assurance is the
> actual goal).
As someone who's moving towards integrating OpenID (RP and OP) into his
employer's web apps, I would very much appreciate URLs to such critiques.
>From what I see, the most glaring problem is that some "major sites" that
act as OPs (Flickr, AOL, etc.) still do not have https:// identity URLs, so
RPs cannot leverage cheap, ubiqitous SSL/TLS PKI to help thwart the more
obvious DNS and MITM/phishing attacks.
BTW, whoever maintains http://openid.net/get/ should probably change the
Yahoo information to "https://me.yahoo.com/" since that works and, unlike
http://openid.yahoo.com/, uses SSL/TLS.
Thanks,
Peter
_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net><mailto:general at openid.net<mailto:general at openid.net>><mailto:general at openid.net<mailto:general at openid.net><mailto:general at openid.net<mailto:general at openid.net>>>
http://openid.net/mailman/listinfo/general
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080918/7fcf7793/attachment-0001.htm>
More information about the general
mailing list