[security] How to decide what the OpenID baseline should be? (was RE: Who bears the risk..)

Drummond Reed drummond.reed at cordance.net
Fri Oct 27 17:39:04 UTC 2006 

Just for context, this exact thread ran through the OpenID marketing list
(at iwantmyopenid.org - no public archives) about three weeks ago. Johannes
Ernst even explained that he had implemented such a OpenID service at
NetMesh just for testing purposes.

 

So once again this establishes the baseline that OpenID Authentication as it
currently stands really proves just one thing: that an OpenID Provider (IdP)
is authoritative for an OpenID Identifier (URL or XRI), period. Currently
the relationship between the OpenID Provider and the registrant of the
OpenID Identifier, and the nature of the authentication the OpenID Provider
requires (or does not require) of the registrant of the OpenID Identifier,
is out of scope.

 

There are many folks on the list that have argued that this is by design -
that OpenID Provider authentication of an Identifer is the baseline
requirement for the protocol, and that the OpenID Provider/End-User
authentication verification is a separate issue that can be layered on top
of this. 

 

There are others that are arguing that this baseline is too low, and will
kill OpenID adoption if it is not raised.

 

I understand both sides. Rather than have the argument all over again, for
an issue as important as this, I'd suggest we first need to answer the
metaquestion: how do we as a community decide this question? Should we try
to hash it out on the lists, or should we try to convene telecon(s), or
should we go to a f2f meeting level?

 

=Drummond 

 

  _____  

From: security-bounces at openid.net [mailto:security-bounces at openid.net] On
Behalf Of Alaric Dailey
Sent: Friday, October 27, 2006 10:02 AM
To: security at openid.net
Subject: Re: [security] Who bears the risk..

 

I seem to remember saying that this would happen if authentication was
outside the the scope of the spec.

 

 

 

  _____  

From: security-bounces at openid.net [mailto:security-bounces at openid.net] On
Behalf Of Eddy Nigg (StartCom Ltd.)
Sent: Friday, October 27, 2006 7:21 AM
Cc: security at openid.net
Subject: Re: [security] Who bears the risk..

Hi All,

I'm glad to announce, that I have installed a new OpenID Server for anybody
to use. This is a supper-trooper and absolutely cool OpenID server, since it
doesn't require you to sign up, register or anything...Total privacy! You
can choose any user name and change the name every time if you wish, all you
have to do, is to provide at LiveJournal or other blog/forum, a URI like
http://123.no-password.com...everyhting works, no questions asked! You can
even choose a user name somebody else used previously. This is specially
interesting, since viagra.no-password.com will become reusable...

I simply downloaded one of the libraries from the OpenID web site and
removed any authentication checking (patch available), so that when you have
to authenticate with no-password.com the web site simply post's you back to
LiveJournal with is_valid="true". Also I removed the association for shared
secrets with the RP, since there is nothing here to protect and completely
optional <http://openid.net/specs/openid-authentication-2_0-10.html#anchor3>
according to the specs. This makes no-password.com the fastest OpenID
server, since we don't use SSL and have no need to create the assoc_handle.
I'm sure we gained about 10 milliseconds on this! BTW, did I tell you, that
no-password.com is completely private and anonymous? Any log files created
by the server are directed to /dev/null so that any traces of your visit at
no-password.com are destroyed immediately! This is much better that the PiP
offered from Verisign, since they probably keep log files and make back ups
of their databases ;-) and because according to the specs the IdP
establishes whether the End User is authorized to perform OpenID
Authentication and wishes to do so and the manner in which the End User
authenticates to their IdP is beyond the scope of the OpenID Authentication
2.0 Specifications, all users are authorized at no-password.com without
questions asked. Cool, isn't it?

I'm sure you now understand how useful the OpenID framework is and you
decided to add OpenID login to your forum immediately. There are no
requirements on your part, but you should....well, really you  should
<http://openid.net/specs/openid-authentication-2_0-10.html#initiation>  make
a small form at your forum, so the user can enter the no-password.com URI.
It's also recommended that you place the OpenID logo
<http://openid.net/login-bg.gif>  at the beginning of the form field. Well,
perhaps you just remove any authentication at your forum...it's useless
anyway...Count on no-password.com to always authenticate the users of your
forum positively!

However, I'm not sure, if I'll keep no-password.com, since I just bought it
and can return the domain within 10 days without getting charged. Anyway,
perhaps I'll get another one (no-questions-asked.com is free) in ten
days....I'll keep you updated on this!

-- 

Regards

 

Signer:      Eddy Nigg, StartCom Ltd.

Phone:       +1.213.341.0390

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061027/3ebac507/attachment-0002.htm>

More information about the security mailing list