[OpenID] TransparencyCamp and OpenID (U)

[Ben Laurie]

On Fri, Mar 13, 2009 at 3:34 AM, Brett McDowell
<brett at projectliberty.org> wrote:
> To (what I think is) Chris' point about changing/up-leveling the discussion
> out of a "OpenID vs. SAML" or "OpenID is insecure" sidetrack, and to (what I
> think is) Johannes' point about capturing the security requirements that we
> can base a new work stream on... I humbly suggest we look at the
> requirements our friends in the US Government (and others) are requiring now
> and are confident they will continue to require regardless of (and
> independent of) private sector innovation.  I'm specifically referring to
> their requirement to compliance to the NIST defined levels of assurance
> (LOA).
> If I were to peer into my crystal ball I would probably see that most of the
> compelling applications that governments will open to 3rd-party credentialed
> citizens are likely to be set to LOA 2 or LOA 3.  How about we shift this
> conversation to focus on how OP's can offer OpenID-based services to their
> users that achieve government recognized compliance to LOA 2 (and soon
> after, LOA 3)?

OK, but I don't think we should be aiming to satisfy only the US government.

> Some work on this has already been *started* but not progressed in earnest.
>  Project Concordia has some use cases that look at this problem space.  The
> Identity Assurance Framework looks at how any particular credential service
> can achieve LOA 1 through LOA 4.  What we don't have is any analysis of what
> an OP could achieve with OpenID 2.0.  Knowing this will provide a clear gap
> analysis of what we have vs. what we need. We can base our deliberations on
> these hard facts.  I can only believe this will be more productive than...
> actually I don't see any alternative to this approach if we are serious
> about making progress.
> Next Steps?
> Since I work closely with the primary US Government agency in charge of
> procurement (which is quite important to the issue of what/which IT
> infrastructure Federal agencies deploy), and because they already require
> our certification for all federation technology prior to being considered by
> agencies for procurement (this is all SAML and/or PKI  today -- just to
> clear up any confusion about the usage of SAML in eCitizen applications),
> and since they are working closely with us to adopt our credential
> assessment framework for LOA 1-2 in the very near future (and LOA 3-4 down
> the road), I would be happy to talk with them about co-hosting a kick-off
> event to drill into this issue as it relates to OpenID specifically.   I
> assume they will be interested.  They, like I, would like to see citizens be
> able to use whatever private sector credentials they "already have" to
> access government applications.  If those are OpenID's, then lets make sure
> those OpenID's are going to be acceptable to these federal Relying Parties
> (who knows, we might learn something that helps us win more RP adoption in
> other markets as well).
> Thoughts?
>
> Brett McDowell | +1.413.652.1248 | http://info.brettmcdowell.com
> On Mar 12, 2009, at 9:05 PM, Peter Williams wrote:
>
>
> I’ve been playing with dynamic SAML metadata modes recently. Instead of
> reading a signed XRDS file, peers dynamically  sign SAML metadata files. A
> SAML metadata file is only XML, and has extensions:  one of which could
> include an XRD or 2 (and thus get signed XRD off the ground). You can look
> at the SAML endpoints as funky XRD services, all expressed in their own
> markup.
>
> The best thing that ever happened to SAML2 was openid – as [most of] the
> SAML crowd have largely got off their ultra high horse and been forced to
> match openid in simplicity and effectiveness (or be made irrelevant).
>
>
>
>
>
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Chris Messina
> Sent: Thursday, March 12, 2009 3:59 PM
> To: Johannes Ernst
> Cc: OpenID List
> Subject: Re: [OpenID] TransparencyCamp and OpenID (U)
>
> On Thu, Mar 12, 2009 at 4:37 PM, Johannes Ernst
> <jernst+openid.net at netmesh.us> wrote:
> On Mar 12, 2009, at 9:46, Ben Laurie wrote:
> I agree that all of SAML is way too large a pill to swallow but
> there's no reason subsets that are usable cannot be defined, and,
> indeed, have been.
>
> I would love it if somebody was actually starting a working group (in Apache
> they would call it "incubate") that would propose all the gory details of a
> "more secure" form of OpenID that still fits into the decentralized,
> discovery-based OpenID architecture. Only then can we tell what may or may
> not be the better approach.
>
> +1.
>
> I'm not the person to do it, simply because I don't have the background, but
> I'm really no longer interested in the discussion that "OpenID isn't good
> enough for high-value transactions". Tell that to the Japanese who are
> already pushing payments over/with OpenID.
>
> If it's got security issues, as Johannes said, we should collect a list of
> them as issues and go about finding suitable solutions, best practices or
> explanations for WONTFIX-type resolutions.
>
> The reality is, people will use OpenID in all kinds of cases that we can't
> be able to anticipate; SAML (again, from what I hear — being mostly SAML
> ignorant) is that SAML requires sysadmins to maintain and more and more
> organizations want to move away from that kind of model.
>
> HTTP succeeds because (among many, many other reasons) you can jack up your
> service to things like S3 once you realize that you're not really saving any
> money as a small to mid-sized organization running a server farm. The same
> thing applies to user authentication and security over time, where it'd be
> nice to have a fairly straight-forward, interoperable protocol for doing
> authentication. From what I've heard, I don't question the sophistication or
> technological pedigree of SAML; it's just that when I hear people say that
> OpenID isn't secure enough, it's like saying we should all switch to RDF
> because it's OMG-so-much-better.
>
> I don't doubt that either are, if your primary concerns in life are centered
> around the problems that these technologies solve; but for folks for whom
> security isn't necessarily their only responsibility, and they no longer
> have an IT department or staff to manage a SAML solution and look to OpenID
> as a potential answer — saying that OpenID isn't secure enough doesn't seem
> to be an answer to the question "well, then what do I use?"
>
> How do we get from where we are today to a point where OpenID really does
> solve a large number of security problems — if only because it hopefully
> means fewer passwords in use overall — and fewer unique accounts to
> maintain? Look, let's take another look at this: it isn't just "is OpenID by
> itself secure?" It's: "given how OpenID changes the makeup of and behavior
> in the overall ecosystem, are we now more secure than we were before?" In
> general, I think the answer is yes, though of course good security
> necessitates vigilance and constant improvement.
>
> To Johannes point: are we capturing these needed improvements anywhere, and
> if not, can we begin to?
>
> Chris
>
>
> --
> Chris Messina
> Citizen-Participant &
>  Open Web Advocate-at-Large
>
> factoryjoe.com # diso-project.org
> citizenagency.com # vidoop.com
> This email is:   [ ] bloggable    [X] ask first   [ ] private
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>