[OpenID] The OpenID Foundation Launches the OpenID Connect Standard

Sun Mar 2 00:54:59 UTC 2014

>the hard core folks selling hardened KMIP-powered crypto boxes (with 
>"assured" random number generators and "suspiciously-secure 
>channels" between keying-command box and keying-using server cards) 
>seemed to like the way OAUTH and openid connect is going, generally.

I like the idea of backing authentication with widely-disseminated 
*trustworthy* hardware (this was one of the reasons I doubted the 
"Dark Mail Alliance"; Forbes said keys would be assigned to each user 
*and populate[d] across their devices* - right where they can too 
easily be stolen), but can we trust that these boxes haven't been 
strategically weakened for easy of future compromise, monetizing 
users when the inevitable government requests come for keys? 
(Requests plural, because of governments plural; recoup manufacturing 
costs from users, then sell key groups like E-mail addresses to 
spammers: this group belongs to people who travel internationally, 
you can use it without admitting to having agents in their country to 
spy on another nation's citizens.) I wonder if they'll open-source 
their designs, like Locksport did (enraging *that* industry), letting 
users select who *they* trust to build the hardware (and flash the 
firmware) to spec, and finding another way to profit.

>In the cloud era, it is ALL proliferating crypto-enabled  *hardware* 
>, that needs CENTRALIZED management to address compromise readiness 
>and rapid purging of broken keys - a service to be delivered by a 
>small number of ultra trusted points of presence produced a small 
>number of very "trusted" vendors.

Yes, centralized-points-of-failure (oops - I mean "centralized points 
of TRUST") are still compatible with "management as a SERVICE"; a 
patent (on published designs) might work to keep competitors out of 
that field for a while (after all, if Android and other "open-source" 
operating systems can justify locking their "open" systems to 
"proprietary" driver (or application) modules, leaving the system 
useless on anything but pre-approved hardware and the pieces 
difficult to use elsewhere, then surely RSA vendors can pirate the 
strategy from Google et al?). I've been disappointed at the 
federation of OpenID (and strong shift away from independently 
asserting/consuming "Identities"), but perhaps post-PRISM user 
annoyance (combined with the availability of "trusted" devices, if 
this at least can also be decentralized to not discourage users from 
trusting those very few vendors) will reboot OpenID's potential as an 
already-existing technology that promises user-centric trust and is 
compatible with the internet we have *now* (no disrespect to the 
crypto-anarchists building Web 3.0 as a replacement for the 
incrementally-upgraded antique we have today).

-Shade

Postscript: I defaulted to the "SitG Admin" handle for mail clients 
that show "sysadmin at s..." (fairly useless for unique 
identification!), and after trying "Shade" in its place decided to 
undo the change since it looked too much like a "real name". I later 
kept it this way to be consistent, but have been considering the 
off-putting effects it might have, and so I thought about switching 
to "Shade" - it would be pointless though if I wasn't going to 
participate more (which seemed likely with the focus on federation 
in/of OpenID), so I didn't need to do anything (lack of posts would 
have the same null-effect). Since this is another substantial post, 
though, I'm postscripting the switch. Long-time subscribers here 
should be able to recognize it with little confusion; hopefully that, 
and this one-time notice, will minimize disruption. (I also plan to 
explicitly use "Shade (pseudonym)" or similar to discourage the 
real-name assumption.)