[OpenID] The OpenID Foundation Launches the OpenID Connect Standard

Peter Williams home_pw at msn.com
Sat Mar 1 19:50:31 UTC 2014 

IN GENERAL, the firewall folks doing mass data mining (in the name of deep packet inspection and mostly-undisclosed ssl interception) had little clue about openid connect. Folks had no fear that a sudden surge in adoption would overwhelm projected abilities of hardware to do the real time monitoring. At first blush, it just factored into assumed projections for http/s growth.




My own feelings about their reactions was that it was, at their first impression, openid connect was seen to be just another web technology (and as vulnerable as all the rest of the technology in this “open systems” design class). In natsec terms, it will be managed as were all other w3c-class technologies. All the usual mechanisms would be applied so it becomes a mass market, doing little other than address the main economic goal : provide a feel good factor to consumers and users (with no actually security) that protects brands of vendors and factors (like Google) who project smaller brands, for a fee. (This was the first business model of Verisign, if one recalls, based on the knowhow in multi-brand management knowhow transferred to it from VISA). Technical things like knowledge of the (layer 7) encryption modes of Json web tokens was close to zero. When challenged, folks saw it as little different in “significant” to any other layer 7 encryption feature (i.e. general corporate policy should and would undermine it, should encryption interfere with branding and consumerism, generally).




The exploits folks WERE more aware of the JWT security modes within openid connect, since (correctly) they view it as an evolution of OAUTH2 protocols. Since the latter is a facilitator of staining, exploit delivery, persistence of compromises, folks looked at reliance on the Json messages over http/https as “part of the usual eco system” - that therefore changes little of the status quo. Dollar signs seems to flash, as more opportunities for selling exploits, or selling tools that monitor exploits, came into view. “good! More of the same!” - seemed to be the general reaction.




So what did I learn that I didn't expect, from this mini survey of (large brand) vendors  at RSA Conference 2014, re openid connect? It came from an unexpected quarter. With the huge uptake in https-everywhere PCI cards, needing key management, and presumed huge amount of JSON assured signature verification (needing public key management), the hard core folks selling hardened KMIP-powered crypto boxes (with “assured” random number generators and “suspiciously-secure channels” between keying-command box and keying-using server cards) seemed to like the way OAUTH and openid connect is going, generally. In the cloud era, it is ALL proliferating crypto-enabled  *hardware* , that needs CENTRALIZED management to address compromise readiness and rapid purging of broken keys - a service to be delivered by a small number of ultra trusted points of presence produced a small number of very “trusted” vendors. 


From: peter Msn
Sent: ‎Wednesday‎, ‎February‎ ‎26‎, ‎2014 ‎2‎:‎27‎ ‎PM
To: peter Msn, specs at openid.net, general at openid.net






3 more solid perspectives, from RSA show


Ping identity: it brings oauth2 up to level of saml2 on attributes, thus completing the device world.

Radiant: its another blob format that we will add alongside all the rest, once its crossed the chasm.  It doesn't solve the hard problem "which requires radiant ...". Just use saml2...

Entrust : what?

Comodo: urr?


In short, ping gave the most coherent statement, ca technologies provided a surprisingly good value adding storyline, google and Verisign were Mia, Microsoft azure folks were mum and noone could talk about adfs, and various app builder toolkit vendors seemed clueless.

Next I'll focus on the firewall, mitm, deep packet inspection sude if the show, to see how they are planning to control it, spy on it, block it, record it and its json token dignature/encryption etc.

After that I'll get impressions from the vulnerability and exploits crowd, since its all based on open web design concepts whose nature just breeds vulnerabilities.

Sent from my Windows Phone



From: Peter Williams
Sent: ‎2/‎26/‎2014 7:19 AM
To: specs at openid.net; general at openid.net
Subject: Re: [OpenID] The OpenID Foundation Launches the OpenID Connect Standard





Its a very “busy” PR - making lots of claims.




Its about outsourcing the login page set (to a dozen huge corporations, who will offer online authentication much like Verisign once offered client digital id issuance).




Its about leveraging the trusted execution environment of the mobile phone (and the TPM of the laptop, and the tpe of the windows 8.1).




Restriction to giant firms gives one citizen identity scaling, that government can rely on. That is, your Hotmail account will be good to get you a tax refund, in the UK.




Its all about app economy on devices and PCs, uniformly. Though, one quote says the opposite: its all about identity fabric, and its NOT about the applications.




It makes SSO easy, for developers, being a variant of OAUTH 2. Personally, I found it hard to make WIndows talk to the OAUTH endpoints of Ping Identity, when I tried it, being tied out of the box into with a few friends of Microsoft instead (particular in the Azure case).




In the last few days, I have heard folks on the ground make the following additional claims, alluding to opened connect being cover for, generator of, or catalyst for additional “fabric” improvements:




Its about the API economy, stupid. And its about odata API builders, in particular. No! It was not Microsoft who said that. (US real estate has opted for a proprietary profile of ODATA and OAUTH, if anyone is interested, that is specifically NOT interoperable via openid connect, or similar - against my counsel).




Its about enterprise control of what app can be used where. 




Its all about app desktops, that either do token-based or password vaulting.




Its a way of monetizing reputation, the buzzword of a year or two ago. All the intelligence of using OTHER RP services is fed into the risk metric calculation, that drives a multi-factor story. Once your score goes into the red, additional challenges appear (a la passmark).




Its all about scopes - meaning its ultimately a name server and registry play. Guess who offered that one!




No, its all “really” about various proprietary ssl client cert enrollment processes (e.g. that in Microsoft CRM), that then allows a family of apps on a device to communication via a shared key ring. Its really about ensuring Facebook’s “login app” doesn't succeed and create eco-systems of apps that cooperate. It must enable several such eco-systems, none of which talk to each other.




Not, its really all about ensuring the state of your “cloud-connected” app moves from device A to your PC, so you can continue on the PC where you left off on the device.





And a nice one about control and assurance: its all about SSL client certs stored in the TPM/TPE, creating a trusted environment that is free from virus attacks via the OS. Its leverages a secure container, that only governments and large firms control, delivering “assured software crypto”. Read into that what your paranoia level calls for (I assume the worst…)




Is all about using transport security (SSL), because its so cheap now. Its so cheap to compromise, that is, I suspect.




And a cute claim that was a little out there, from a UK/US startup: our $50k quantum random number generator can provide the nonces for the SSL handshake, making it hard to induce related key attacks that do packet staining. Like trusted time before it (remember that!?), we see all crypto devices controlled by a central source, supplying the assured entropy.
























































Sent from Surface Pro





From: Mike Jones
Sent: ‎Wednesday‎, ‎February‎ ‎26‎, ‎2014 ‎6‎:‎31‎ ‎AM
To: specs at openid.net, general at openid.net






See http://openid.net/2014/02/26/the-openid-foundation-launches-the-openid-connect-standard/ and the tweet at @openid.

 

This was also already favorably covered by TechCrunch:  http://techcrunch.com/2014/02/26/openid-foundation-launches-openid-connect-identity-protocol-with-support-from-google-microsoft-others/.

 

                                                            Cheers,

                                                            -- Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20140301/0883be7e/attachment.html>
-------------- next part --------------
_______________________________________________
general mailing list
general at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
-------------- next part --------------
_______________________________________________
general mailing list
general at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general

More information about the general mailing list