[security] security
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Sat Oct 28 00:39:43 UTC 2006
Martin, your suggestions are interesting! However isn't there a danger
of a split of networks and fragmentation? Perhaps it might be useful to
include a "trust anchor" in the OpenID specs, which would define, how
trust networks should be approached? This could be some identifier or
list of known "trust networks", which allows an RP to select and act
accordingly to the networks specific specifications...This would
guaranty, that all RP's still can talk to all (requested) IDP's, without
failing to to talk to X or Y, because it doesn't know, which specs it
follows...Something like "trust discovery"?
Since third parties must be involved in this (i.e. "OpenID Registry",
"Verisign Trustnetwork" ;-), "xdi.org"), which according to their policy
control adherence to it, the RP must know about them in first
place....Otherwise very soon, none of the various networks will be
compatible...or requires from the RP to implement many different specs
in order to stay compatible with them all...
Suggestions?
Martin Atkins wrote:
> Eddy Nigg (StartCom Ltd.) wrote:
>
>> A central repository of a list of registered IDP's. The RP can define if
>> he wants to check with that list or not.
>> If yes, the RP checks with the list and receives a green light, else it
>> fails.
>>
>>
>
> As has been noted a few times, OpenID is focused on solving a very
> particular problem, and that problem does not include trust. Mostly
> we've been talking about trust of Identifier URLs so far, but this
> applies to IdPs as well.
>
> RPs are, per the spec, free to refuse to associate with a given IdP
> based on whatever criteria they choose. The upshot of this is that a
> separate effort, independent of the OpenID auth spec, can provide some
> kind of trust system — possibly based on the system you describe — for
> IdPs. RPs can choose to use your system, or they might use someone
> else's system. This is consistent with the decentralized spirit of OpenID.
>
> Since this seems to be your area of expertise and an area of interest to
> you, I encourage you to write up a more formal proposal — on the wiki,
> for example — for some kind of protocol for checking IdP trust which can
> be employed by RPs as one of their mechanisms for discriminating against
> IdPs. However, the whole subject of inter-party trust is deliberately
> not considered in OpenID; we're not trying to save the world. :)
>
>
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061028/373af3d3/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eddy_nigg.vcf
Type: text/x-vcard
Size: 636 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061028/373af3d3/attachment-0002.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7282 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061028/373af3d3/attachment-0002.bin>
More information about the security
mailing list