[security] How to decide what the OpenID baseline should be? (was RE: Who bears the risk..)

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Fri Oct 27 18:26:46 UTC 2006 

This is the first serious post I see (after my invitation to use the
OpenID server at no-password.com), which recognizes the need, that the
community MUST make decisions! This is very basic and "META" as Drummond
pointed out. I think we should stick to the mailing list for now and
suggest, that somebody outlines a new option or various options, on what
needs to be improved. Once we can agree to a useful wording (created by
the ones on the same line, who see a need for some changes) we should
forward that for voting (or whatever is acceptable by OpenID).

Please note, that some of the list members are not really involved right
now and will be back again after the weekend (I guess)! I think to try
to outline something soon...Any suggestion is welcome...

-- 
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Phone:       +1.213.341.0390

Drummond Reed wrote:
>
> Just for context, this exact thread ran through the OpenID marketing
> list (at iwantmyopenid.org – no public archives) about three weeks
> ago. Johannes Ernst even explained that he had implemented such a
> OpenID service at NetMesh just for testing purposes.
>
>  
>
> So once again this establishes the baseline that OpenID Authentication
> as it currently stands really proves just one thing: that an OpenID
> Provider (IdP) is authoritative for an OpenID Identifier (URL or XRI),
> period. Currently the relationship between the OpenID Provider and the
> registrant of the OpenID Identifier, and the nature of the
> authentication the OpenID Provider requires (or does not require) of
> the registrant of the OpenID Identifier, is out of scope.
>
>  
>
> There are many folks on the list that have argued that this is by
> design – that OpenID Provider authentication of an Identifer is the
> baseline requirement for the protocol, and that the OpenID
> Provider/End-User authentication verification is a separate issue that
> can be layered on top of this.
>
>  
>
> There are others that are arguing that this baseline is too low, and
> will kill OpenID adoption if it is not raised.
>
>  
>
> I understand both sides. Rather than have the argument all over again,
> for an issue as important as this, I’d suggest we first need to answer
> the metaquestion: how do we as a community decide this question?
> Should we try to hash it out on the lists, or should we try to convene
> telecon(s), or should we go to a f2f meeting level?
>
>  
>
> =Drummond
>
>  
>
> ------------------------------------------------------------------------
>
> *From:* security-bounces at openid.net
> [mailto:security-bounces at openid.net] *On Behalf Of *Alaric Dailey
> *Sent:* Friday, October 27, 2006 10:02 AM
> *To:* security at openid.net
> *Subject:* Re: [security] Who bears the risk..
>
>  
>
> I seem to remember saying that this would happen if authentication was
> outside the the scope of the spec.
>
>  
>
>  
>
>  
>
> ------------------------------------------------------------------------
>
> *From:* security-bounces at openid.net
> [mailto:security-bounces at openid.net] *On Behalf Of *Eddy Nigg
> (StartCom Ltd.)
> *Sent:* Friday, October 27, 2006 7:21 AM
> *Cc:* security at openid.net
> *Subject:* Re: [security] Who bears the risk..
>
> Hi All,
>
> I'm glad to announce, that I have installed a new OpenID Server for
> anybody to use. This is a supper-trooper and absolutely cool OpenID
> server, since it doesn't require you to sign up, register or
> anything...Total privacy! You can choose any user name and change the
> name every time if you wish, all you have to do, is to provide at
> LiveJournal or other blog/forum, a URI like
> http://123.no-password.com...everyhting works, no questions asked! You
> can even choose a user name somebody else used previously. This is
> specially interesting, since viagra.no-password.com will become
> reusable...
>
> I simply downloaded one of the libraries from the OpenID web site and
> removed any authentication checking (patch available), so that when
> you have to authenticate with no-password.com the web site simply
> post's you back to LiveJournal with is_valid="true". Also I removed
> the association for shared secrets with the RP, since there is nothing
> here to protect and completely optional
> <http://openid.net/specs/openid-authentication-2_0-10.html#anchor3>
> according to the specs. This makes no-password.com the fastest OpenID
> server, since we don't use SSL and have no need to create the
> assoc_handle. I'm sure we gained about 10 milliseconds on this! BTW,
> did I tell you, that no-password.com is completely private and
> anonymous? Any log files created by the server are directed to
> /dev/null so that any traces of your visit at no-password.com are
> destroyed immediately! This is much better that the PiP offered from
> Verisign, since they probably keep log files and make back ups of
> their databases ;-) and because according to the specs /the IdP
> establishes whether the End User is authorized to perform OpenID
> Authentication and wishes to do so and the manner in which the End
> User authenticates to their IdP is beyond the scope of the OpenID
> Authentication 2.0 Specifications/, all users are authorized at
> no-password.com without questions asked. Cool, isn't it?
>
> I'm sure you now understand how useful the OpenID framework is and you
> decided to add OpenID login to your forum immediately. There are no
> requirements on your part, but you should....well, really you  should
> <http://openid.net/specs/openid-authentication-2_0-10.html#initiation>
> make a small form at your forum, so the user can enter the
> no-password.com URI. It's also recommended that you place the OpenID
> logo <http://openid.net/login-bg.gif> at the beginning of the form
> field. Well, perhaps you just remove any authentication at your
> forum...it's useless anyway...Count on no-password.com to always
> authenticate the users of your forum positively!
>
> However, I'm not sure, if I'll keep no-password.com, since I just
> bought it and can return the domain within 10 days without getting
> charged. Anyway, perhaps I'll get another one (no-questions-asked.com
> is free) in ten days....I'll keep you updated on this!
>
> -- 
>
> Regards
>
>  
>
> Signer:      Eddy Nigg, StartCom Ltd.
>
> Phone:       +1.213.341.0390
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061027/befe89a9/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eddy_nigg.vcf
Type: text/x-vcard
Size: 636 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061027/befe89a9/attachment-0002.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7282 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061027/befe89a9/attachment-0002.bin>

More information about the security mailing list