[OpenID] TransparencyCamp and OpenID (U)
Eric Norman
ejnorman at doit.wisc.edu
Fri Mar 13 14:02:55 UTC 2009
On Mar 13, 2009, at 5:42 AM, Paul Madsen wrote:
> Full NIST LOA requirements for 'assertions' (NIST uses the term in
> the inclusive sense and not specific to SAML) are laid in Section
> 10.3.2 of
> http://csrc.nist.gov/publications/drafts/800-63-rev1/SP800-63-
> Rev1_Dec2008.pdf
Chris Messina has suggested that a list of "security problems" with
OpenID be prepared. One way to start such a list would be to review
all the requirements of the various levels in NIST 800-63 and see
which ones OpenID can satisfy.
What Paul cited was the crypto part. The other part of 800-64 is
the non-crypto part (the identity proofing) and is just as important
to meet the requirements for the sundry levels of assurance. These
requirements are described in section 7.
The crypto part is actually the easy one.
Here's a pop quiz to get folks started. What is the maximum level
of assurance that can be obtained if someone is allowed to operate
their own OpenID provider?
Eric Norman
More information about the general
mailing list