[OpenID] About Google, Yahoo, Facebook and OpenID

[Peter Williams]

That may be because nothing has really changed in 25 years...despite all the evangelism to the contrary :-)

I learned about internet and LAN networking I&A when I was 19, 25 years ago. nonce handshakes, RSA signatures, DH key agreement, DES modes for connectionless etheret packets, passive/active attacks..., cipher strength, trojans collecting passwords at the terminal to be countered by needed trusted path, impact of errors on cipher modes,...

THe problem has got "bigger" tho. And thats why it probably continues to required engineering effort. As it gets bigger, a lot more players want to control how it rolls out (so they can have their policy way).

Bit like PKI, which dies under its own policy weight. FBI wanted to deny folks crypto, till it could covertly intercept. NSA didnt want folks to use RSA. NIST wanted folks to use OSI security standards, that NASA/DARPA had its minions do anything to stop be fielded. UKG and Royal Holloways folks wanted seperate keying per simplex channel. NSF wanted half close on TCP to shut down only one security chanel (so you could spy on the other, legally). Meantime Navy high assurance wanted SPD for IPSEC to control end-end security, whereas CISCO wanted IPSEC to simply do tunnelling. BBN didnt want there to be a user auth phase in IPSEC, and be used only for layer3 "VPNs", - fault tolerant overlays based on layer 3 discovery run by ISP router. ETC ETC ETC

The work we are doing is finding a consensus within all that "policy space", which is not just the lowest common denominator (nothing and/or snakeoil crypto).


________________________________
From: general-bounces at openid.net [general-bounces at openid.net] On Behalf Of Hans Granqvist [hans at granqvist.com]
Sent: Thursday, May 21, 2009 10:36 AM
To: SitG Admin
Cc: general at openid.net
Subject: Re: [OpenID] About Google, Yahoo, Facebook and OpenID

There seems to be a tendency to over-analyze too much beforehand in the identity
field.

Hans