[OpenID] Delegation leading to new accounts on websites
Peter Williams
pwilliams at rapattoni.com
Mon Jun 22 18:55:44 UTC 2009
Forgive me. I dont know what a Personal User Agent is - or who provides it to me.
What Im willing to cede is that an OP might, formally within a revised security model, properly refuse to provide an assertion to the user who has authenticated and show control of the URI in the delegation flow ...unless the XRD of a delegation/vanity URI is signed in a manner "consistent" with the security policy of the OP.
In today's formal security model, RPs are overly trusted - to hold delegation state and enforce security rules in the delegation flow concerning resolution of SEPs that a formal OP-trusted naming authority maintains about the OP subscriber (asserted claimed id), upon receipt of the assertion. User are also trusted, to write sensible XRDs at HTTP URIs, used by overly trusting "XRDS applications" such as YADIS. This "low-end" variations of the delegation flow provides none of the protections that higher-end variations of the delegation pattern offer the OP 0 where ,XRI resolution MAY provide "XRI applications" with specific assurances about namespace delegation and TTP-grade SEP accuracy controls.
if Google can bring themselves to support the UCI world where users self-certify their delegation requirement in XRDs stored at mere http URIs (vs HXRIs or XRIs) and use RPs software of perhaps low repute, to compensate the OP for the additional risk it adopts in allowing itself to interact with that world I can see the openid's formal security model advancing. It can allow a Google to refuse properly to interact with such user-written XRDs unless they (or the SEP elements) are signed and/or countersigned by party that Google can respect. If the XRD (or an SEP element alone) is self-signed there should be no obligation to interact with that entity, unlike today. We have moved from the world facing Google today - do all of nothing in this space.
We have to find a hard balance. We need to address the goal in which users are in control, and apply RP software of possibly ill repute. At the same time, in traditional identity assertion world, no IDP of any repute would touch such a world with a barge pole. It would have the goal of enforcing specific controls and getting specific assurance from a OP-centric governance regime - assurances that mitigate the risks it faces to its brand. In that world, only those RPs that do exactly X Y and Z would be authorized (legally) to handle assertions.
Unfortunately, those two goals sets conflict. Some middle ground has to be found - much like SSL found, by adopting CTLs.
________________________________________
From: general-bounces at openid.net [general-bounces at openid.net] On Behalf Of Santosh Rajan [santrajan at gmail.com]
Sent: Monday, June 22, 2009 8:02 AM
To: general at openid.net
Subject: Re: [OpenID] Delegation leading to new accounts on websites
Peter Williams wrote:
>
>
>
> I think that's a fair trade. Ill give up some of UCI, if they give signed
> discovery documents to the world.
>
>
I presume in this scenario Google is your Personal User Agent provider. So
what or how are you going to give up some UCI? Or am I missing something?
-----
Santosh Rajan
http://santrajan.blogspot.com http://santrajan.blogspot.com
--
View this message in context: http://www.nabble.com/Delegation-leading-to-new-accounts-on-websites-tp24139409p24148153.html
Sent from the OpenID - General mailing list archive at Nabble.com.
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list