[OpenID] TransparencyCamp and OpenID (U)
Nat
sakimura at gmail.com
Fri Mar 13 15:48:05 UTC 2009
On 2009/03/13, at 23:02, Eric Norman <ejnorman at doit.wisc.edu> wrote:
>
> On Mar 13, 2009, at 5:42 AM, Paul Madsen wrote:
>
>> Full NIST LOA requirements for 'assertions' (NIST uses the term in
>> the inclusive sense and not specific to SAML) are laid in Section
>> 10.3.2 of http://csrc.nist.gov/publications/drafts/800-63-rev1/SP800-63-Rev1_Dec2008.pdf
>
> Chris Messina has suggested that a list of "security problems" with
> OpenID be prepared. One way to start such a list would be to review
> all the requirements of the various levels in NIST 800-63 and see
> which ones OpenID can satisfy.
>
> What Paul cited was the crypto part. The other part of 800-64 is
> the non-crypto part (the identity proofing) and is just as important
> to meet the requirements for the sundry levels of assurance. These
> requirements are described in section 7.
>
> The crypto part is actually the easy one.
>
> Here's a pop quiz to get folks started. What is the maximum level
> of assurance that can be obtained if someone is allowed to operate
> their own OpenID provider?
You mean OpenID as it stands now?
It is Zero then because of the signature requirement on the indirect
message. (N.B. I am talking in terms of the current standard, not the
draft.)
We all should send comments to NIST on the draft that Paul quoted, by
the way, if you have found some problems with it. (Or has the draft
already ratified as a standerd?)
>
>
> Eric Norman
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
More information about the general
mailing list