[OpenID] TransparencyCamp and OpenID (U)

Brett McDowell brett at projectliberty.org
Fri Mar 13 18:45:49 UTC 2009 

On Mar 13, 2009, at 9:25 AM, Ben Laurie wrote:

> On Fri, Mar 13, 2009 at 3:34 AM, Brett McDowell
> <brett at projectliberty.org> wrote:
>> To (what I think is) Chris' point about changing/up-leveling the  
>> discussion
>> out of a "OpenID vs. SAML" or "OpenID is insecure" sidetrack, and  
>> to (what I
>> think is) Johannes' point about capturing the security requirements  
>> that we
>> can base a new work stream on... I humbly suggest we look at the
>> requirements our friends in the US Government (and others) are  
>> requiring now
>> and are confident they will continue to require regardless of (and
>> independent of) private sector innovation.  I'm specifically  
>> referring to
>> their requirement to compliance to the NIST defined levels of  
>> assurance
>> (LOA).
>> If I were to peer into my crystal ball I would probably see that  
>> most of the
>> compelling applications that governments will open to 3rd-party  
>> credentialed
>> citizens are likely to be set to LOA 2 or LOA 3.  How about we  
>> shift this
>> conversation to focus on how OP's can offer OpenID-based services  
>> to their
>> users that achieve government recognized compliance to LOA 2 (and  
>> soon
>> after, LOA 3)?
>
> OK, but I don't think we should be aiming to satisfy only the US  
> government.

The UK-based tScheme (http://www.tscheme.org/) has contributed heavily  
to the current version of the Identity Assurance Framework, which will  
be the primary document required to comply with -- based on NIST SP  
800-63, but more comprehensive in terms of service assessment  
criteria.  And BT is co-chair of that effort.  I think UK  
representation is quite strong actually.  Denmark, New Zealand, Canada  
and I suspect Japan, are also looking closely at these four levels of  
assurance as the foundation for their own countries (these are just  
the groups I've talked to directly, I'm sure there are more).   
Actually, I'm told the EU IDABC makes reference to the IAF in their  
documentation, but I have only recently started to work with them and  
cannot confirm that claim yet.  We are getting to a true international  
standard now.  Our intention is actually to submit it through ISO &  
ITU-T for true international standardization once it's considered  
stable enough and we have consensus with ITU & ISO about how it would  
be included in their X.EAA and 29115 respectively.

More detail than you wanted probably... short story is "don't worry,  
we are not just satisfying the US government with this" :-)

>
>
>> Some work on this has already been *started* but not progressed in  
>> earnest.
>>  Project Concordia has some use cases that look at this problem  
>> space.  The
>> Identity Assurance Framework looks at how any particular credential  
>> service
>> can achieve LOA 1 through LOA 4.  What we don't have is any  
>> analysis of what
>> an OP could achieve with OpenID 2.0.  Knowing this will provide a  
>> clear gap
>> analysis of what we have vs. what we need. We can base our  
>> deliberations on
>> these hard facts.  I can only believe this will be more productive  
>> than...
>> actually I don't see any alternative to this approach if we are  
>> serious
>> about making progress.
>> Next Steps?
>> Since I work closely with the primary US Government agency in  
>> charge of
>> procurement (which is quite important to the issue of what/which IT
>> infrastructure Federal agencies deploy), and because they already  
>> require
>> our certification for all federation technology prior to being  
>> considered by
>> agencies for procurement (this is all SAML and/or PKI  today --  
>> just to
>> clear up any confusion about the usage of SAML in eCitizen  
>> applications),
>> and since they are working closely with us to adopt our credential
>> assessment framework for LOA 1-2 in the very near future (and LOA  
>> 3-4 down
>> the road), I would be happy to talk with them about co-hosting a  
>> kick-off
>> event to drill into this issue as it relates to OpenID  
>> specifically.   I
>> assume they will be interested.  They, like I, would like to see  
>> citizens be
>> able to use whatever private sector credentials they "already have"  
>> to
>> access government applications.  If those are OpenID's, then lets  
>> make sure
>> those OpenID's are going to be acceptable to these federal Relying  
>> Parties
>> (who knows, we might learn something that helps us win more RP  
>> adoption in
>> other markets as well).
>> Thoughts?
>>
>> Brett McDowell | +1.413.652.1248 | http://info.brettmcdowell.com
>> On Mar 12, 2009, at 9:05 PM, Peter Williams wrote:
>>
>>
>> I’ve been playing with dynamic SAML metadata modes recently.  
>> Instead of
>> reading a signed XRDS file, peers dynamically  sign SAML metadata  
>> files. A
>> SAML metadata file is only XML, and has extensions:  one of which  
>> could
>> include an XRD or 2 (and thus get signed XRD off the ground). You  
>> can look
>> at the SAML endpoints as funky XRD services, all expressed in their  
>> own
>> markup.
>>
>> The best thing that ever happened to SAML2 was openid – as [most  
>> of] the
>> SAML crowd have largely got off their ultra high horse and been  
>> forced to
>> match openid in simplicity and effectiveness (or be made irrelevant).
>>
>>
>>
>>
>>
>> From: general-bounces at openid.net [mailto:general- 
>> bounces at openid.net] On
>> Behalf Of Chris Messina
>> Sent: Thursday, March 12, 2009 3:59 PM
>> To: Johannes Ernst
>> Cc: OpenID List
>> Subject: Re: [OpenID] TransparencyCamp and OpenID (U)
>>
>> On Thu, Mar 12, 2009 at 4:37 PM, Johannes Ernst
>> <jernst+openid.net at netmesh.us> wrote:
>> On Mar 12, 2009, at 9:46, Ben Laurie wrote:
>> I agree that all of SAML is way too large a pill to swallow but
>> there's no reason subsets that are usable cannot be defined, and,
>> indeed, have been.
>>
>> I would love it if somebody was actually starting a working group  
>> (in Apache
>> they would call it "incubate") that would propose all the gory  
>> details of a
>> "more secure" form of OpenID that still fits into the decentralized,
>> discovery-based OpenID architecture. Only then can we tell what may  
>> or may
>> not be the better approach.
>>
>> +1.
>>
>> I'm not the person to do it, simply because I don't have the  
>> background, but
>> I'm really no longer interested in the discussion that "OpenID  
>> isn't good
>> enough for high-value transactions". Tell that to the Japanese who  
>> are
>> already pushing payments over/with OpenID.
>>
>> If it's got security issues, as Johannes said, we should collect a  
>> list of
>> them as issues and go about finding suitable solutions, best  
>> practices or
>> explanations for WONTFIX-type resolutions.
>>
>> The reality is, people will use OpenID in all kinds of cases that  
>> we can't
>> be able to anticipate; SAML (again, from what I hear — being mostly  
>> SAML
>> ignorant) is that SAML requires sysadmins to maintain and more and  
>> more
>> organizations want to move away from that kind of model.
>>
>> HTTP succeeds because (among many, many other reasons) you can jack  
>> up your
>> service to things like S3 once you realize that you're not really  
>> saving any
>> money as a small to mid-sized organization running a server farm.  
>> The same
>> thing applies to user authentication and security over time, where  
>> it'd be
>> nice to have a fairly straight-forward, interoperable protocol for  
>> doing
>> authentication. From what I've heard, I don't question the  
>> sophistication or
>> technological pedigree of SAML; it's just that when I hear people  
>> say that
>> OpenID isn't secure enough, it's like saying we should all switch  
>> to RDF
>> because it's OMG-so-much-better.
>>
>> I don't doubt that either are, if your primary concerns in life are  
>> centered
>> around the problems that these technologies solve; but for folks  
>> for whom
>> security isn't necessarily their only responsibility, and they no  
>> longer
>> have an IT department or staff to manage a SAML solution and look  
>> to OpenID
>> as a potential answer — saying that OpenID isn't secure enough  
>> doesn't seem
>> to be an answer to the question "well, then what do I use?"
>>
>> How do we get from where we are today to a point where OpenID  
>> really does
>> solve a large number of security problems — if only because it  
>> hopefully
>> means fewer passwords in use overall — and fewer unique accounts to
>> maintain? Look, let's take another look at this: it isn't just "is  
>> OpenID by
>> itself secure?" It's: "given how OpenID changes the makeup of and  
>> behavior
>> in the overall ecosystem, are we now more secure than we were  
>> before?" In
>> general, I think the answer is yes, though of course good security
>> necessitates vigilance and constant improvement.
>>
>> To Johannes point: are we capturing these needed improvements  
>> anywhere, and
>> if not, can we begin to?
>>
>> Chris
>>
>>
>> --
>> Chris Messina
>> Citizen-Participant &
>>  Open Web Advocate-at-Large
>>
>> factoryjoe.com # diso-project.org
>> citizenagency.com # vidoop.com
>> This email is:   [ ] bloggable    [X] ask first   [ ] private
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
>>

More information about the general mailing list