[OpenID] OpenID Providers Invited to Join in an NSTIC Pilot Proposal

John Bradley ve7jtb at ve7jtb.com
Tue Feb 14 15:06:12 UTC 2012 

As a customer of Eddie's service I can say that it works quite well given the limitations of browsers.

Getting users to manage moving private keys and certificates from Firefox into an iPhone is not something most people are going to manage, given the current technology.  (yes it is possible) 

One possible area of exploration is coupling Eddie's existing LoA 2 certificates with openID Connect to have a LoA 2 service.

Doing that with openID 2.0 is still a LoA 1 service so not particularly interesting to NSTIC.

Having long experience with PKI client auth there are many things that could be done to improve the experience for using it as a primary authenticator for SAML, openID 2.0 and OpenID Connect.
It is probably best to separate the primary and secondary authenticator issues to some extent, especially if you are looking for a grant.

OpenID is agnostic to the primary authenticator technology used by Identity providers.   Some like StarSSL use PKI, others like Google are offering OTP, and SMS, and Mobio who are doing QR codes.

We still have a lot of room for innovation with primary authenticators.   

The hardest work is perhaps the identity proofing and management at higher assurance levels,  without that the value of the additional security is not apparent to a lot of people.

There are a lot of things people can try and get NSTIC grants for. 

I don't know that the openID general list is necessarily the place to dig into the deployment details of PKI client auth though.

Good luck with your grant proposal for those of you going after it.

John B.

On 2012-02-14, at 7:55 AM, Eddy Nigg (StartCom Ltd.) wrote:

> 
> On 02/14/2012 06:46 AM, From Francisco Corella:
>> 
>> I guess you mean that if the relying party downloads a certificate in
>> the body of an HTTP response with a content-type header whose value is
>> a MIME type indicating that the body contains a certificate, and if
>> Firefox "finds a valid key pair" then Firefox will import the
>> certificate automatically.  Did I guess right?
> 
> Yes.
> 
>> Well, depending on the details, that could be a security hole.  If the
>> valid key pair that Firefox finds consists of the publick key in an
>> existing certificate and the associated private key, Firefox could end
>> up replacing the existing certificate with one downloaded by an
>> attacker that binds the public key to the attacker's identity.
> 
> No, if an attacker could do that it'd be too late anyway, then he probably could impersonate the entire internet. "Finding" a public key that would match a private key is kind  of impossible (with sufficient key size). But I'm not sure if this is the right forum for such crypto stuff.
> 
> Regards 
>  
> Signer: 	Eddy Nigg, COO/CTO
>  	StartCom Ltd.
> XMPP: 	startcom at startcom.org
> Blog: 	Join the Revolution!
> Twitter: 	Follow Me
>  
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20120214/98042822/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20120214/98042822/attachment.p7s>

More information about the general mailing list