[OpenID] OpenID Providers Invited to Join in an NSTIC Pilot Proposal

Francisco Corella fcorella at pomcor.com
Tue Feb 14 19:30:40 UTC 2012 

John,

> As a customer of Eddie's service I can say that it works quite well
> given the limitations of browsers.

But we can't tell if it's secure, because the details are not
documented.

> Getting users to manage moving private keys and certificates from
> Firefox into an iPhone is not something most people are going to
> manage, given the current technology.  (yes it is possible) 
> 
> One possible area of exploration is coupling Eddie's existing LoA 2
> certificates with openID Connect to have a LoA 2 service.
> 
> Doing that with openID 2.0 is still a LoA 1 service so not
> particularly interesting to NSTIC.
> 
> Having long experience with PKI client auth there are many things that
> could be done to improve the experience for using it as a primary
> authenticator for SAML, openID 2.0 and OpenID Connect.
> It is probably best to separate the primary and secondary
> authenticator issues to some extent, especially if you are looking for
> a grant.
> 
> OpenID is agnostic to the primary authenticator technology used by
> Identity providers.   Some like StarSSL use PKI, others like Google
> are offering OTP, and SMS, and Mobio who are doing QR codes.

I know.

> We still have a lot of room for innovation with primary
> authenticators.   
> 
> The hardest work is perhaps the identity proofing and management at
> higher assurance levels,  without that the value of the additional
> security is not apparent to a lot of people.

Username+password credentials are used on the Web to authenticate
repeat visits, i.e. to ensure that the user who is logging in to an
account is the same user who registered and created the account
earlier.  No proofing is involved.  The main role of OpenID as it is
used on the Web today is to replace username+password login for that
same purpose.  No proofing is needed for that.  But OpenID as used
today does not eliminate the security risks of passwords, arguably it
makes them worse by facilitating phishing attacks.  By authenticating
to the identity provider with a certificate rather than a password you
do eliminate the password, and the phishing attacks, thus making
OpenID much more secure.

> There are a lot of things people can try and get NSTIC grants for. 
> 
> I don't know that the openID general list is necessarily the place to
> dig into the deployment details of PKI client auth though.
> 
> Good luck with your grant proposal for those of you going after it.

Thank you, I really appreciate that :-)

Francisco




>________________________________
> From: John Bradley <ve7jtb at ve7jtb.com>
>To: Eddy Nigg (StartCom Ltd.) <eddy_nigg at startcom.org> 
>Cc: "openid-general at lists.openid.net >> 'openid-general'" <openid-general at lists.openid.net> 
>Sent: Tuesday, February 14, 2012 7:06 AM
>Subject: Re: [OpenID] OpenID Providers Invited to Join in an NSTIC Pilot Proposal
> 
>
>As a customer of Eddie's service I can say that it works quite well given the limitations of browsers.
>
>
>Getting users to manage moving private keys and certificates from Firefox into an iPhone is not something most people are going to manage, given the current technology.  (yes it is possible) 
>
>
>One possible area of exploration is coupling Eddie's existing LoA 2 certificates with openID Connect to have a LoA 2 service.
>
>
>Doing that with openID 2.0 is still a LoA 1 service so not particularly interesting to NSTIC.
>
>
>Having long experience with PKI client auth there are many things that could be done to improve the experience for using it as a primary authenticator for SAML, openID 2.0 and OpenID Connect.
>It is probably best to separate the primary and secondary authenticator issues to some extent, especially if you are looking for a grant.
>
>
>OpenID is agnostic to the primary authenticator technology used by Identity providers.   Some like StarSSL use PKI, others like Google are offering OTP, and SMS, and Mobio who are doing QR codes.
>
>
>We still have a lot of room for innovation with primary authenticators.   
>
>
>The hardest work is perhaps the identity proofing and management at higher assurance levels,  without that the value of the additional security is not apparent to a lot of people.
>
>
>There are a lot of things people can try and get NSTIC grants for. 
>
>
>I don't know that the openID general list is necessarily the place to dig into the deployment details of PKI client auth though.
>
>
>Good luck with your grant proposal for those of you going after it.
>
>
>John B.
>
>
>On 2012-02-14, at 7:55 AM, Eddy Nigg (StartCom Ltd.) wrote:
>
>
>>On 02/14/2012 06:46 AM, From Francisco Corella: 
>>I guess you mean that if the relying party downloads a certificate in
>>>the body of an HTTP response with a content-type header whose
        value is
>>>a MIME type indicating that the body contains a certificate, and
        if
>>>Firefox "finds a valid key pair" then Firefox will import the
>>>certificate automatically.  Did I guess right?
>>>
>>Yes.
>>
>>
>>Well, depending on the details, that could be a security hole.  If the
>>>valid key pair that Firefox finds consists of the publick key in
        an
>>>existing certificate and the associated private key, Firefox
        could end
>>>up replacing the existing certificate with one downloaded by an
>>>attacker that binds the public key to the attacker's identity.
>>>
>>No, if an attacker could do that it'd be too late anyway, then he
    probably could impersonate the entire internet. "Finding" a public
    key that would match a private key is kind  of impossible (with
    sufficient key size). But I'm not sure if this is the right forum
    for such crypto stuff.
>>
>>
>>Regards  
>>  
>>Signer:  Eddy Nigg, COO/CTO 
>>  StartCom Ltd. 
>>XMPP:  startcom at startcom.org 
>>Blog:  Join the Revolution! 
>>Twitter:  Follow Me 
>>  
>>
_______________________________________________
>>general mailing list
>>general at lists.openid.net
>>http://lists.openid.net/mailman/listinfo/openid-general
>>
>
>_______________________________________________
>general mailing list
>general at lists.openid.net
>http://lists.openid.net/mailman/listinfo/openid-general
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20120214/d1425475/attachment.html>

More information about the general mailing list