[OpenID] OpenID + Government

Peter Williams pwilliams at rapattoni.com
Wed Aug 12 19:25:45 UTC 2009 

Ok!

So you did what myspace did: took the defined extension points and
added value . They discarded the dh handshake, and use a vendor
specific association protocol (apparently). Better strength and
assurance hopefully... falling back to default (low) assurance ...
when no better option can be found.

In your case, I'll guess in the endpoint xrd that you advertise - per
the model -additional extension handler names, so adding value via the
extension framework. Presumably this offers something suiting banking
frauds to only those endpoints wanting to rely on xri resolution ...
for capability negotiation and address selection (which is the more
openid way of doing things).

This is all just like ssl, now, where folks up negotiate higher
strength mechanisms and higher level operational assurances.

But look at the difference In my tone and characterization, when
discussing the assurance space.

Let's tell the ssl story using a divisive characterization of
assurances, now:

Oh my god, netscapes 40bit rc4 ciphersuite with crappy pertabators in
the kdf (broken by a French student) and verisign class 1 client certs
means ALL of ssl3 is low assurance. Look! GSA confirms it. It's a
fact! Folks must now switch to IPsec, for >loa1 assurance level when
tunelling!

No. Thats not how it was handled. Nsa/Dod comes along, puts in a missi
ciphersuite, adjusts the handshake flow so missi-style key agreement
can share the record layer with rsa handshakes, and dod office systems
get all the additional strength of missi ciphers and missi assurances
when talking amongst themselves (now featuring monthly changing user
keying material, key comprise handling, flash authority removal,
remote cac applet provisioning on gp smartcards...). They can still
interwork with public sites using rsa, at low assurance, however.

(I'm showing my out of dateness In federal systems. By now, missi will
have been renamed 6 times...)

What we want is Strong, professional security engineering, based on cc
claims, STD protection profiles, evaluated cryptomodules, even formal
methods proving the info flow properties of the strong type system,...
And in grassroots centric openid, We want that all to be developed in
and shown by common or garden programmers, not just defense
contractors working for GSA-affiliated .gov sites








On Aug 12, 2009, at 8:37 AM, "Paul Madsen" <paulmadsen at rogers.com>
wrote:

> As you acknowledge ('custom extension albeit'), the application you
> are
> referring to supplemented OpenID's own security in order to meet the
> higher assurance requirements.
>
> With the standardization of that 'custom extension' continuing to
> progress in the OpenID community, perhaps the GSA will in the future
> reevaluate whether the combination can support higher assurance?
>
> The GSA have said (or will say soon I guess) only that OpenID 2.0, as
> profiled, tops out at LOA1 (for US Gov RPs). The profile doeesnt
> mention
>  (I think at least, I havent read it) CX or any other extensions that
> might supplement assurance.
>
> paul
>
> p.s. I believe I am as suspicious of the realty industry as you are of
> Liberty
> Peter Williams wrote:
>>
>> So there i am in 2006 trying to let our 100k realtors use their rsa
>> tokencodes at lots of other websites in the realty universe.
>>
>> Sounds simple, no?
>>
>> And I walk into this religion style war of words, of spin meistering,
>> claim and counterclaim ...and a omnipresent culture of the putdown.
>> Generally: an intense over sensitivity, in the saml camp. And it's
>> not
>> because realty is a hot new market for websso sales!
>>
>> As a lapsed security engineer, i love seeing the passion (and i also
>> love the saml product we selected, which we use everyday at a cost of
>> deployment now of about $2000 partner link (taking about 3 days, in
>> most cases)). But the "edginess" I see displayed across not one but
>> several companies is a real issue for going further with saml. I feel
>> like I'm stepping across a precipice.
>>
>> And the edginess gets noticibly stronger the moment i talk about
>> (also) using openid in our customers trust networks.
>>
>> Now you are a good person to challenge on the bretts topic of "GSA
>> has
>> declared openid as inherently unable to address more than loa1
>> assurance requirements". A firm you associate with has been using
>> openid (with a custom extension albeit) for banking transactions-
>> which are not trivial transactions for which low assurance is
>> appropriate.how can I reconcile those 2 statements?
>>
>> Now I feel I'm being spun to even more. Brett made, in literary
>> analysis, a reaching for that "defining" gsa classification. And in
>> that act of reaching underminded his case for being impartial. A good
>> politician doesn't reach for the very classification device that
>> devides folks. He or she enables (almost magically) a acceptable
>> tradeoff.
>>
>> Is kantara going to formally disarm the samlista brigade and move
>> forward, or have we just got a new name for the same old warhorse?
>>
>>
>>
>> Grudgingly, they acceptedn
>>
>>
>>
>>
>> On Aug 12, 2009, at 4:10 AM, "Paul Madsen" <paulmadsen at rogers.com>
>> wrote:
>>
>>> Peter, a good theory. But you forget to mention that NORAD
>>> intentionally
>>> scrambled the fighters late to allow the planes to get to the
>>> towers.
>>>
>>> Peter Williams wrote:
>>>> My value- such as it is- is as an outsider.
>>>>
>>>> I measured 4 sources:
>>>>
>>>> Sun Micro rsa conference presentation on their openid pilot;
>>>> rationales for never being an rp
>>>> Ping identity factors gating speed of adoption of openid2 -
>>>> privileged acess
>>>> Scott cantors view on openid2 generally, and saml as used in xrd;
>>>> raw opinion, shared freely
>>>> How the uk jisc pilot of openid framed the basis for it's total
>>>> adoption failure in uk academia. Was it geared to fail?
>>>>
>>>> Given these 4 inputs, I simply conjectured a link (liberty). I
>>>> tested my conjecture by being a bit outlandish. CoMpared to the
>>>> norm (fox news and msnbc), I was MILD in the imputations. Lots of
>>>> Ifs, buts, shoulds, mays....that mature heads would recognize as
>>>> method.
>>>>
>>>> Don't get upset. It's just an experiment.
>>>>
>>>> Little, powerless, clueless, skilless, informationless peter throws
>>>> tiny word stone at mighty million dollar liberty standards lobbying
>>>> machine ...and gets "over the top" reaction.
>>>>
>>>> Why? Why such sensitivity?
>>>>
>>>>
>>>>
>>>> On Aug 11, 2009, at 5:29 PM, "John Bradley"
>>>> <john.bradley at wingaa.com<mailto:john.bradley at wingaa.com>> wrote:
>>>>
>>>> Peter, Brett
>>>>
>>>> As a member of Liberty, Kantara, ICF, and OIDF.   I can say that I
>>>> have never seen any indication of Liberty plotting against openID
>>>> or info-card.  (I do go to most of the secret meetings)
>>>>
>>>> The issue with physical access is more one of not trying to boil
>>>> the ocean.
>>>>
>>>> There is real desire by real government RPs to use open
>>>> technologies and work with commercial identity providers.  There
>>>> are RPs I am working with who want this yesterday.
>>>>
>>>> This first step is hard enough.  Many people have been working hard
>>>> for many months.
>>>>
>>>> One of the ways we have been able to make progress is by limiting
>>>> the scope.
>>>>
>>>> We could have done physical access, LoA 4,  p-cards and other
>>>> things.
>>>>
>>>> The initial program by the GSA is a start not an end to the
>>>> process.
>>>>
>>>> There will be changes to the initial profiles and additional
>>>> profiles as time and requirements permit.
>>>>
>>>> This first step is a scary amount of work,  give us time please.
>>>>
>>>> John B.
>>>>
>>>> On 11-Aug-09, at 5:04 PM, <mailto:openid-general-request at lists.openid.net
>>>>> openid-general-request at lists.openid.net<mailto:openid-general-request at lists.openid.net
>>>>> wrote:
>>>> Date: Tue, 11 Aug 2009 13:43:29 -0700
>>>> From: Peter Williams
>>>> <<mailto:pwilliams at rapattoni.com>pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com
>>>> Subject: Re: [OpenID] OpenID + Government
>>>> To: Brett McDowell
>>>> <<mailto:email at brettmcdowell.com>email at brettmcdowell.com<mailto:email at brettmcdowell.com
>>>> Cc: OpenID List <<mailto:general at openid.net>general at openid.net<mailto:general at openid.net
>>>> Message-ID: <<mailto:7911DEBA-C04B-4CC7-8A4B-967626522E9A at rapattoni.com
>>>>> 7911DEBA-C04B-4CC7-8A4B-967626522E9A at rapattoni.com<mailto:7911DEBA-C04B-4CC7-8A4B-967626522E9A at rapattoni.com
>>>> Content-Type: text/plain; charset="us-ascii"
>>>>
>>>> If the infocard stack is technically reputable, can you explain why
>>>> an
>>>> accredited provider would be excluded from using it (and openid)
>>>> from
>>>> making assertions of physical presence?
>>>>
>>>> _______________________________________________
>>>> general mailing list
>>>> general at lists.openid.net<mailto:general at lists.openid.net>
>>>> http://lists.openid.net/mailman/listinfo/openid-general
>>>> _______________________________________________
>>>> general mailing list
>>>> general at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-general
>>>>
>>

More information about the general mailing list