<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>To (what I think is) Chris' point about changing/up-leveling the discussion out of a "OpenID vs. SAML" or "OpenID is insecure" sidetrack, and to (what I think is) Johannes' point about capturing the security requirements that we can base a new work stream on... I humbly suggest we look at the requirements our friends in the US Government (and others) are requiring now and are confident they will continue to require regardless of (and independent of) private sector innovation. I'm specifically referring to their requirement to compliance to the NIST defined levels of assurance (LOA). </div><div><br></div><div>If I were to peer into my crystal ball I would probably see that most of the compelling applications that governments will open to 3rd-party credentialed citizens are likely to be set to LOA 2 or LOA 3. How about we shift this conversation to focus on how OP's can offer OpenID-based services to their users that achieve government recognized compliance to LOA 2 (and soon after, LOA 3)?</div><div><br></div><div>Some work on this has already been *started* but not progressed in earnest. Project Concordia has some use cases that look at this problem space. The Identity Assurance Framework looks at how any particular credential service can achieve LOA 1 through LOA 4. What we don't have is any analysis of what an OP could achieve with OpenID 2.0. Knowing this will provide a clear gap analysis of what we have vs. what we need. We can base our deliberations on these hard facts. I can only believe this will be more productive than... actually I don't see any alternative to this approach if we are serious about making progress.</div><div><br></div><div>Next Steps?</div><div><br></div><div>Since I work closely with the primary US Government agency in charge of procurement (which is quite important to the issue of what/which IT infrastructure Federal agencies deploy), and because they already require our certification for all federation technology prior to being considered by agencies for procurement (this is all SAML and/or PKI today -- just to clear up any confusion about the usage of SAML in eCitizen applications), and since they are working closely with us to adopt our credential assessment framework for LOA 1-2 in the very near future (and LOA 3-4 down the road), I would be happy to talk with them about co-hosting a kick-off event to drill into this issue as it relates to OpenID specifically. I assume they will be interested. They, like I, would like to see citizens be able to use whatever private sector credentials they "already have" to access government applications. If those are OpenID's, then lets make sure those OpenID's are going to be acceptable to these federal Relying Parties (who knows, we might learn something that helps us win more RP adoption in other markets as well).</div><div><br></div><div>Thoughts?</div><div><br></div><div><div><br><div apple-content-edited="true"> <span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Brett McDowell | +1.413.652.1248 | <a href="http://info.brettmcdowell.com">http://info.brettmcdowell.com</a></div></div></span> </div><br><div><div>On Mar 12, 2009, at 9:05 PM, Peter Williams wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; "><div lang="EN-US" link="blue" vlink="purple"><div class="Section1"><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">I’ve been playing with dynamic SAML metadata modes recently. Instead of reading a signed XRDS file, peers dynamically sign SAML metadata files. A SAML metadata file is only XML, and has extensions: one of which could include an XRD or 2 (and thus get signed XRD off the ground). You can look at the SAML endpoints as funky XRD services, all expressed in their own markup.<o:p></o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">The best thing that ever happened to SAML2 was openid – as [most of] the SAML crowd have largely got off their ultra high horse and been forced to match openid in simplicity and effectiveness (or be made irrelevant).<o:p></o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="border-top-style: none; border-right-style: none; border-bottom-style: none; border-width: initial; border-color: initial; border-left-style: solid; border-left-color: blue; border-left-width: 1.5pt; padding-top: 0in; padding-right: 0in; padding-bottom: 0in; padding-left: 4pt; "><div><div style="border-right-style: none; border-bottom-style: none; border-left-style: none; border-width: initial; border-color: initial; border-top-style: solid; border-top-color: rgb(181, 196, 223); border-top-width: 1pt; padding-top: 3pt; padding-right: 0in; padding-bottom: 0in; padding-left: 0in; "><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; ">From:</span></b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; "><span class="Apple-converted-space"> </span><a href="mailto:general-bounces@openid.net">general-bounces@openid.net</a> [<a href="mailto:general-bounces@openid.net" style="color: blue; text-decoration: underline; ">mailto:general-bounces@openid.net</a>]<span class="Apple-converted-space"> </span><b>On Behalf Of<span class="Apple-converted-space"> </span></b>Chris Messina<br><b>Sent:</b><span class="Apple-converted-space"> </span>Thursday, March 12, 2009 3:59 PM<br><b>To:</b><span class="Apple-converted-space"> </span>Johannes Ernst<br><b>Cc:</b><span class="Apple-converted-space"> </span>OpenID List<br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [OpenID] TransparencyCamp and OpenID (U)<o:p></o:p></span></div></div></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">On Thu, Mar 12, 2009 at 4:37 PM, Johannes Ernst <jernst+<a href="http://openid.net" style="color: blue; text-decoration: underline; ">openid.net</a>@<a href="http://netmesh.us" style="color: blue; text-decoration: underline; ">netmesh.us</a>> wrote:<o:p></o:p></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><br>On Mar 12, 2009, at 9:46, Ben Laurie wrote:<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">I agree that all of SAML is way too large a pill to swallow but<br>there's no reason subsets that are usable cannot be defined, and,<br>indeed, have been.<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">I would love it if somebody was actually starting a working group (in Apache they would call it "incubate") that would propose all the gory details of a "more secure" form of OpenID that still fits into the decentralized, discovery-based OpenID architecture. Only then can we tell what may or may not be the better approach.<o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">+1.<o:p></o:p></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">I'm not the person to do it, simply because I don't have the background, but I'm really no longer interested in the discussion that "OpenID isn't good enough for high-value transactions". Tell that to the Japanese who are already pushing payments over/with OpenID.<o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">If it's got security issues, as Johannes said, we should collect a list of them as issues and go about finding suitable solutions, best practices or explanations for WONTFIX-type resolutions.<o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">The reality is, people will use OpenID in all kinds of cases that we can't be able to anticipate; SAML (again, from what I hear — being mostly SAML ignorant) is that SAML requires sysadmins to maintain and more and more organizations want to move away from that kind of model. <o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">HTTP succeeds because (among many, many other reasons) you can jack up your service to things like S3 once you realize that you're not really saving any money as a small to mid-sized organization running a server farm. The same thing applies to user authentication and security over time, where it'd be nice to have a fairly straight-forward, interoperable protocol for doing authentication. From what I've heard, I don't question the sophistication or technological pedigree of SAML; it's just that when I hear people say that OpenID isn't secure enough, it's like saying we should all switch to RDF because it's OMG-so-much-better.<o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">I don't doubt that either are, if your primary concerns in life are centered around the problems that these technologies solve; but for folks for whom security isn't necessarily their only responsibility, and they no longer have an IT department or staff to manage a SAML solution and look to OpenID as a potential answer — saying that OpenID isn't secure enough doesn't seem to be an answer to the question "well, then what do I use?"<o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">How do we get from where we are today to a point where OpenID really does solve a large number of security problems — if only because it hopefully means fewer passwords in use overall — and fewer unique accounts to maintain? Look, let's take another look at this: it isn't just "is OpenID by itself secure?" It's: "given how OpenID changes the makeup of and behavior in the overall ecosystem, are we now more secure than we were before?" In general, I think the answer is yes, though of course good security necessitates vigilance and constant improvement.<o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">To Johannes point: are we capturing these needed improvements anywhere, and if not, can we begin to?<o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Chris<br><br clear="all"><br>--<span class="Apple-converted-space"> </span><br>Chris Messina<br>Citizen-Participant &<br> Open Web Advocate-at-Large<br><br><a href="http://factoryjoe.com" style="color: blue; text-decoration: underline; ">factoryjoe.com</a><span class="Apple-converted-space"> </span>#<span class="Apple-converted-space"> </span><a href="http://diso-project.org" style="color: blue; text-decoration: underline; ">diso-project.org</a><br><a href="http://citizenagency.com" style="color: blue; text-decoration: underline; ">citizenagency.com</a><span class="Apple-converted-space"> </span>#<span class="Apple-converted-space"> </span><a href="http://vidoop.com" style="color: blue; text-decoration: underline; ">vidoop.com</a><br>This email is: [ ] bloggable [X] ask first [ ] private<o:p></o:p></div></div></div></div>_______________________________________________<br>general mailing list<br><a href="mailto:general@openid.net" style="color: blue; text-decoration: underline; ">general@openid.net</a><br><a href="http://openid.net/mailman/listinfo/general" style="color: blue; text-decoration: underline; ">http://openid.net/mailman/listinfo/general</a><br></div></span></blockquote></div><br></div></div></body></html>