[OpenID] TransparencyCamp and OpenID (U)
Eric Norman
ejnorman at doit.wisc.edu
Fri Mar 13 18:58:18 UTC 2009
On Mar 13, 2009, at 11:28 AM, Breno de Medeiros wrote:
> In the surface, it would seem that OpenID could achieve such standard
> with minor tweaks of the protocol. However, this perception is
> misleading. The standards was developed for non-user-centric systems
> where the IDP has out-of-band mechanisms to bind identifiers to real
> users. In a user-centric system where users can delegate arbitrary
> identifiers to the OP, one would expect it to be necessary to develop
> an additional set of criteria by which delegation can be assured to a
> minimum level of integrity protection. Today delegation can be
> achieved reasonably easily via phishing attacks that may appear
> relatively benign (do not ask user to enter password credentials, for
> instance).
(Note: even though I quoted a particular response above, my
use of the pronoun "you" below is intended to be plural).
Regardless of whether the "minor tweaks" are accurate or not
and regardless of whether the perception is misleading, you
still need to address the non-technical sections of NIST 800-63.
That would be section 6 or 7 depending on whether you're using
the draft cited in this thread or the published version.
This thread is about proposing that the US Federal Government
use OpenID. I can assure you that they will want to talk about
NIST 800-63 and OMB 4 among other documents. So it would be
a good idea to be ready to converse on those terms.
I also won't help if you tell them that their documentation
doesn't describe a user-centric system. What they are likely
to tell you in that case is that they don't want a user-centric
system; good-bye.
You also might want to be careful about use of words or their
variants that are defined in the glossary such as "Verifier".
If these are used in some other sense, it might lead to mis-
communication.
Eric Norman
More information about the general
mailing list