[security] security
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Sat Oct 28 11:09:09 UTC 2006
Hi Martin,
Martin Atkins wrote:
> I tend to think about it in much the same way as people have been
> dealing with spam. There are lots of methods of detecting whether a
> given message is spam, and some are more effective in different
> situations than others.
>
Spool back almost 30 years! There was no Internet in the form we know it
today. Developed in 1982, SMTP isn't up to the task of todays Internet,
but since it is widely used today, solutions are put on top of it, in
order to try to give some sort of protection for various things.
Today (2006), there is no reason to pretend we are in the early 80's.
Without offending anybody, but this borders on stupidity, to implement a
new protocol and standard without taking into account the aspects of
most basic security requirements. I agree, that there are many different
ways doing that, but not doing anything is negligence!
By encouraging <http://iwantmyopenid.org/bounty> the world to integrate
OpenID into their software, obviously to spread OpenID, WITHOUT
providing adequate protection by the standard itself, to the relying
parties is almost criminal! This might be gross negligence and intent by
the sponsoring parties:
VeriSign <http://www.verisign.com/>, JanRain <http://janrain.com/>, Four
Kitchen Studios <http://fourkitchens.com/>, Cordance
<http://www.cordance.net/>, ooTao <http://www.ootao.com/>, Zooomr
<http://zooomr.com/>, claimID <http://claimid.com>, ZP3
<http://zp3.com>, International Webmasters Association
<http://iwanet.org/>, NetMesh <http://netmesh.us>, SXIP
<http://www.sxip.com/>, Opinity <http://www.opinity.com>, Six Apart
<http://www.sixapart.com> and AmSoft <http://www.amsoft.net>
As the specs are defined currently, the short comings are:
- Shared secret between RP and IDP is optional
<http://openid.net/specs/openid-authentication-2_0-10.html#anchor3>. Our
spoofing attempt a week ago would have succeeded easily (which was
assumed by me).
- Standard and common security requirements are recommended and not a
requirement.
- No basic or minimal trust requirements and adherence to the standard.
This makes OpenID the future SMTP of Identity Management! Adoption of
OpenID 2.0 should be discouraged in the strongest possible terms!
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eddy_nigg.vcf
Type: text/x-vcard
Size: 636 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061028/b0017ad3/attachment-0002.vcf>
More information about the security
mailing list