[OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP implementations)

Eric Norman ejnorman at doit.wisc.edu
Mon Jan 5 21:29:11 UTC 2009 

On Jan 5, 2009, at 12:17 PM, Peter Williams wrote:

> Third denial that an ee ocsp responder is relevant, perhaps for openid 
> discover too?

I was hasty and incorrect when I said OCSP wasn't relevant.
Nevertheless it's also not some sort of magic bullet that
will suddenly make all certificates trustworthy forever.

> So to openid.  How do we handle things in openid if the op compromises 
> its store of private associations? The effect is more severe than if a 
> given rp does the same thing. Does the recovering op purge all name 
> federations at some or all sp entities? Does it need to send a letter 
> to each subscriber?

One of the first things to do is get rid of the "Chicken
Little" phenomenon.  You can see it coming from lots of
places anytime an attack is discovered.

Furthermore, it would be good if folks concentrated on
something that is typically overlooked and usually more
important.  How will trustworthy service be restored?

> The attackers apparently gave impact assessment notice to browser 
> makers. But they didnt bother to give it to the 26000 openid rp sites 
> capable of doing openid1 https openid discovery. If there was no 
> impact, why apparently pre-inform the browser vendors (and allegedly 
> list 2 of them on the presentation slides)?

It was an academic crypto paper; it was published by the
normal channels.  Many cryptographic researchers have a
policy that if an attack they have discovered will have
a significant negative impact, they will inform those
that can apply a correction some time (like 9 months)
before publication.  Many commercial crypto vendors seem
to have a policy that such knowledge should go to their
PR and legal departments.  Academic researchers have been
sued in the past by vendors who failed to take corrective
action.

> But at least the role of op entities is getting highlighted by all 
> this, since its an assertion maker. Or is it, under uci? Perhaps an op 
> (unlike a shib idp) is but a user #agent#?

There's a reason it's called an OP instead of an IdP.  A
user-controlled OP provides no independent testimony and
would more accurately be called a user agent.  This is one
of the reasons some say OpenID is an identity system, not
a trust system.

Eric Norman

More information about the general mailing list