[OpenID] OpenID architecture critiques? Re: Too many providers...
Nat Sakimura
sakimura at gmail.com
Sat Sep 20 13:24:38 UTC 2008
+1
>From what I can tell from my experience with 50+ possible RPs, assurance and
security is their biggest concern and barrier technically. (Of course, ROI
is another, but this is more a business side.)
We can actually do a profiling of OpenID so that it will be more secure, and
in some case, create an extension to bolster it up. IMHO, this is what we
need right now.
=nat
On Fri, Sep 19, 2008 at 3:23 AM, Tatsuki Sakushima <tatsuki at nri.com> wrote:
> My sympathy here. Limiting potential is bad idea. The community should
> work on how to make this happen, not limiting use cases. We need more RP
> adoption anyway. Many businesses out there can not be ignored. We should
> think even harder how we have them feel comfortable to use OpenID as a
> SSO mean.
>
> Tatsuki Sakushima
> NRI Pacific - Nomura Research Institute America, Inc.
>
> Peter Williams ????????:
> > Not a lot of early replies, were there? Folks need to understand that
> > clever representations are now being made in their name as unnamed
> > designers (that are formally 100% correct, as are a good politicians
> > claims, until contested by analysis), that essentially message that
> > openid is simply not adoptable for controlling any substantive business
> > risk. The claims bases its truthfulless on a reference to lack of
> > security feature and (this is the killer) its designer intent in that
> > regard.
> >
> >
> >
> > I'll write down my beliefs about certain people who we can count amongst
> > the founding group. Never met personally means, my beliefs are drawn
> > from general email tone, public or private. Material in [] is neither
> > fact checked nor a formal quote attribute to the person.
> >
> >
> >
> > Johannes (never met personally)- LID was supposed to do CCA login. [The
> > contribution of LID to openid carried forward the CCA use case.]
> >
> >
> >
> > Dick (never met, personally) - its nuts to actually use openid2 for
> > websso/cca. It's not good enough for that [in design/operational
> culture].
> >
> >
> >
> > David: openid is mostly about blogging and perhaps traditional wiki
> > groupware login, as reflected in 10-20 new "openid adoptions" each day
> > [because someone deploys an "openid-capable" software suite, like a blog
> > suite] and 15,000 documented adoptions of myopenid's outsourcing service
> > supportin those blog suite deployments.
> >
> >
> >
> > I've also done de-briefs of most of the original VeriSign PIP team,
> > since meeting David in person. This was also quite revealing about the
> > design and review cycle, relations with the SAML component of VeriSign,
> > since they spoke quite openly (as none continue to work for VeriSign).
> >
> >
> >
> > I've forgotten the person's name, but someone from the UK crowd
> > (probably) expressed the basic mission of UCI/OpenID eloquently, once:
> > use any OP you like without fear, because you the consumer will soon
> > move away from it when you find that folks' refusal to accept it makes
> > it essentially useless. Such indirect, negative feedback by RPs against
> > poor quality OPs by RPs through inconveniencing the user is apparently
> > the basis of the assurance model, and will [would] ideally translate
> > into the authenticated comments allowing openid to serve as a web-wide
> > basis for addressing blogspam, once such reputation management
> > principles are applied similarly to users.
> >
> >
> >
> > If OpenID is to be used in consort with ws-trust protocols, or OAUTH,
> > the perception (being essentially concertedly messaged by Liberty
> > Alliance folk) may persist that "mere association with openid" brings
> > down the consorting protocol to the low-assurance level inherent in very
> > trademark "OpenID". That is, merge cardspace with openid, and you just
> > get openid-grade cardspace.
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> > Behalf Of Peter Williams
> > Sent: Wednesday, September 17, 2008 2:30 PM
> > To: Paul Madsen
> > Cc: general at openid.net
> > Subject: Re: [OpenID] OpenID architecture critiques? Re: Too many
> > providers...
> >
> >
> >
> > Im more interested in the designers view of the intent.
> >
> >
> >
> > First, were they designing for cca?
> >
> >
> >
> > Dd they expectations that only certain types of cca were envisaged, to
> > only certain types of app (eg classical wiki behaviour)?
> >
> >
> >
> >
> >
> >
> >
> > ________________________________
> >
> > From: Paul Madsen <paulmadsen at rogers.com>
> >
> > Sent: Wednesday, September 17, 2008 1:30 PM
> >
> > To: Peter Williams <pwilliams at rapattoni.com>
> >
> > Cc: general at openid.net <general at openid.net>
> >
> > Subject: Re: [OpenID] OpenID architecture critiques? Re: Too many
> > providers...
> >
> >
> >
> > Peter, I'm not going to make blanket statements about the applicability
> > of OpenID (or any authentication technology) to particular classes of
> > use cases. OMB/NIST got there first.
> >
> >
> >
> > I will claim as a principle that the level of assurance engendered by
> > proofing, registration, and authentication, etc should be commensurate
> > with that provided by the assertion protocol. And that applies to SAML
> > Web SSO profile, WS-Fed, Infocards, etc
> >
> >
> >
> > regards
> >
> >
> >
> > paul
> >
> >
> >
> > --
> >
> > Paul Madsen e:paulmadsen @ ntt-at.com
> >
> > NTT p:613-482-0432
> >
> > m:613-302-1428
> >
> > aim:PaulMdsn5
> >
> >
> > web:connectid.blogspot.com
> >
> >
> >
> >
> >
> > ----- Original Message ----
> >
> > From: Peter Williams <pwilliams at rapattoni.com>
> >
> > To: Paul Madsen <paulmadsen at rogers.com>; Peter <peterw at tux.org>
> >
> > Cc: "general at openid.net" <general at openid.net>
> >
> > Sent: Wednesday, September 17, 2008 4:06:15 PM
> >
> > Subject: RE: [OpenID] OpenID architecture critiques? Re: Too many
> > providers...
> >
> >
> >
> > So...we have the creationists on the list.
> >
> >
> >
> > I gave a long list of cca applications. Was cca a use case that the
> > design addressed?
> >
> >
> >
> > When one uses openid to logon to the concordia mediawiki, was this use
> > part of the concept?
> >
> >
> >
> > Is there anything inappropriate about using openid2 for mediawiki logon?
> >
> >
> >
> > Should openid (of any quality, and user auth strength) never be used on
> > a wiki doing acess contolled business activities (eg one of the business
> > groupware wikis provided by the pbwiki firm)?
> >
> >
> >
> > ________________________________
> >
> > From: Paul Madsen <paulmadsen at rogers.com<mailto:paulmadsen at rogers.com>>
> >
> > Sent: Wednesday, September 17, 2008 12:56 PM
> >
> > To: Peter Williams
> > <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>>; Peter
> > <peterw at tux.org<mailto:peterw at tux.org>>
> >
> > Cc: general at openid.net<mailto:general at openid.net>
> > <general at openid.net<mailto:general at openid.net>>
> >
> > Subject: Re: [OpenID] OpenID architecture critiques? Re: Too many
> > providers...
> >
> >
> >
> > every creation story I've ever seen for OpenID has emphasized blog
> > commenting.
> >
> >
> >
> > Wrt HealthVault, Microsoft themselves seem somewhat ambivalent -
> > appearing to place the burden of security review (of both OpenID and
> > OPs) on users
> >
> >
> >
> > https://account.healthvault.com/help.aspx?topicid=faq#OpenIDProviders
> >
> >
> >
> > paul
> >
> > --
> >
> > Paul Madsen e:paulmadsen @ ntt-at.com
> >
> > NTT p:613-482-0432
> >
> > m:613-302-1428
> >
> > aim:PaulMdsn5
> >
> >
> > web:connectid.blogspot.com
> >
> >
> >
> >
> >
> > ----- Original Message ----
> >
> > From: Peter Williams
> > <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>>
> >
> > To: Paul Madsen <paulmadsen at rogers.com<mailto:paulmadsen at rogers.com>>;
> > Peter <peterw at tux.org<mailto:peterw at tux.org>>
> >
> > Cc: "general at openid.net<mailto:general at openid.net>"
> > <general at openid.net<mailto:general at openid.net>>
> >
> > Sent: Wednesday, September 17, 2008 3:27:59 PM
> >
> > Subject: RE: [OpenID] OpenID architecture critiques? Re: Too many
> > providers...
> >
> >
> >
> > Out of interest, what were the use cases?
> >
> >
> >
> > I've forgotten the name of the cissp who wrote the openid book, but I
> > recall his take: cca (cross company authentication) and blog commenting.
> >
> >
> >
> > For cca, one has myopenid as the gold standard (in outsourcing the op
> > side of cca) and then there is/was plaxo as the gold standard consumer
> > (since you account link several openids to the localuserid). For
> > blogging, id pose google/blogger as the stand ard reference of using
> > openid to get authication of comments, and yahoo as the classical
> > reference on how to be an op in the world ofmega portals.
> >
> >
> >
> > In the web2.0 world, we then had magnolia (notable for having no
> > localids) and claimid (notable for tagging documents you want to assert
> > authorship of).
> >
> >
> >
> > In the (paradoxical) higher assrance space (that liberty folk
> > essentially question if even should really exist) we have microsoft
> > heath vault service maintaing your sensitive health record
> > confentiality, accepting openids from (only) trustbearer (who require
> > strong user auth using dod cac smartcard, usfed piv card, or other
> > javacard/globalplatform smartcard with decent rsa crypto strength (and
> > fips 140-1 and cc assurance, ideally, on the soc in the chip and the
> > id/keymanagement applets/firmware)
> >
> >
> >
> > ________________________________
> >
> > From: Paul Madsen
> > <paulmadsen at rogers.com<mailto:paulmadsen at rogers.com><mailto:
> paulmadsen at rogers.com<mailto:paulmadsen at rogers.com>>>
> >
> > Sent: Wednesday, September 17, 2008 11:42 AM
> >
> > To: Peter
> > <peterw at tux.org<mailto:peterw at tux.org><mailto:peterw at tux.org<mailto:
> peterw at tux.org>>>;
> > Peter Williams
> > <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com><mailto:
> pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>>>
> >
> > Cc:
> > general at openid.net<mailto:general at openid.net><mailto:general at openid.net
> <mailto:general at openid.net>>
> > <general at openid.net<mailto:general at openid.net><mailto:general at openid.net
> <mailto:general at openid.net>>>
> >
> > Subject: Re: [OpenID] OpenID architecture critiques? Re: Too many
> > providers...
> >
> >
> >
> > This comparison is not specific to security, but does address it
> >
> >
> >
> > http://identitymeme.org/doc/draft-hodges-saml-openid-compare-06.html
> >
> >
> >
> > paul
> >
> >
> >
> > p.s. I am a SAML/Liberty participant. I would not argue that OpenID
> > provides 'no' assurance - rather that it can provide a level of
> > assurance appropriate to the use cases that drove its development. I
> > know of no SAML advocate that would claim more than this correspondence
> > for SAML.
> >
> >
> >
> > --
> >
> > Paul Madsen e:paulmadsen @ ntt-at.com
> >
> > NTT p:613-482-0432
> >
> > m:613-302-1428
> >
> > aim:PaulMdsn5
> >
> >
> > web:connectid.blogspot.com
> >
> >
> >
> >
> >
> > ----- Original Message ----
> >
> > From: Peter
> > <peterw at tux.org<mailto:peterw at tux.org><mailto:peterw at tux.org<mailto:
> peterw at tux.org>>>
> >
> > To: Peter Williams
> > <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com><mailto:
> pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>>>
> >
> > Cc:
> > "general at openid.net<mailto:general at openid.net><mailto:general at openid.net
> <mailto:general at openid.net>>"
> > <general at openid.net<mailto:general at openid.net><mailto:general at openid.net
> <mailto:general at openid.net>>>
> >
> > Sent: Wednesday, September 17, 2008 2:19:46 PM
> >
> > Subject: [OpenID] OpenID architecture critiques? Re: Too many
> providers...
> >
> >
> >
> >
> >
> > Peter Williams
> > <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com><mailto:
> pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>><mailto:
> pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com><mailto:
> pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>>>>
> > wrote:
> >
> >> Folks in the liberty alliance message (openly and convincingly)
> >
> >> that openid cannot ever - inherently - be used for any purpose
> >
> >> requiring "assurance". They point to the undisputed claim that
> >
> >> the open designers knowingly made design tradeoffs in the crypto
> >
> >> handshake and security critical securty service composition rules,
> >
> >> so as to make it all easy to deploy and adopt. Because of this
> >
> >> precept, openid cannot even *be* fixed (since low assurance is the
> >
> >> actual goal).
> >
> >
> >
> > As someone who's moving towards integrating OpenID (RP and OP) into his
> >
> > employer's web apps, I would very much appreciate URLs to such critiques.
> >
> >
> >
> > From what I see, the most glaring problem is that some "major sites" that
> >
> > act as OPs (Flickr, AOL, etc.) still do not have https:// identity URLs,
> so
> >
> > RPs cannot leverage cheap, ubiqitous SSL/TLS PKI to help thwart the more
> >
> > obvious DNS and MITM/phishing attacks.
> >
> >
> >
> > BTW, whoever maintains http://openid.net/get/ should probably change the
> >
> > Yahoo information to "https://me.yahoo.com/" since that works and,
> unlike
> >
> > http://openid.yahoo.com/, uses SSL/TLS.
> >
> >
> >
> > Thanks,
> >
> >
> >
> > Peter
> >
> >
> >
> > _______________________________________________
> >
> > general mailing list
> >
> > general at openid.net<mailto:general at openid.net><mailto:general at openid.net
> <mailto:general at openid.net>><mailto:general at openid.net<mailto:
> general at openid.net><mailto:general at openid.net<mailto:general at openid.net>>>
> >
> > http://openid.net/mailman/listinfo/general
> >
> > _______________________________________________
> >
> > general mailing list
> >
> > general at openid.net
> >
> > http://openid.net/mailman/listinfo/general
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > general mailing list
> > general at openid.net
> > http://openid.net/mailman/listinfo/general
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
--
Nat Sakimura (=nat)
http://www.sakimura.org/en/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080920/563b0c04/attachment-0001.htm>
More information about the general
mailing list