[security] security
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Sat Oct 28 17:02:58 UTC 2006
Martin Atkins wrote:
> The spec that we are calling "OpenID Authentication" provides a protocol
> for an RP to ask an IdP whether some user controls a given URI.
>
A noble goal!
> It specifies the use of another protocol — Yadis — as a mechanism to
> discover a list of IdPs that will answer for a given URI.
>
Which is where trust could be discovered as well...
> Anything else is outside of the scope of OpenID Authentication.
>
Up to here everything seems to be fine. But pretending and suggesting
that OpenID can or should be used in real world (and is ready for real
world usage), even encouraging the use and integration of it by
bounties, knowingly fully well, that the technology isn't secured, is
untrusted and as such may cause damage, is really a flaw! If it would be
advised NOT to make use of OpenID, because for this, that or other
reasons, this would be completely acceptable...
> You will probably note that OpenID 2.0 has grown this scope a small
> amount with the concept of directed identity, which provides a mechanism
> for an RP to ask an IdP to respond with a URL that somehow represents a
> user. [1]
>
> Notice that I'm distinguishing between "OpenID Authentication", which is
> the spec we're currently working on, and "OpenID" itself, which I hope
> will will slowly grow into a suite of inter-operable technologies
> related to decentralized identity.
>
> There are a few other specs currently being considered which are related
> to, but are not part of, OpenID Authentication:
> * "Simple Registration", for automating the provision of simple
> user profile information to RPs.
> * "Attribute Exchange", which I'm not really following and don't know
> much about.
>
> ...and obviously, there's a lot of debate about how RPs should determine
> whether to trust particular IdPs and identifiers, but as far as I'm
> aware no-one is working on any concrete proposals related to this right
> now. I imagine this will become an area of focus for lots of people once
> OpenID Authentication 2.0 is finished.
>
> -------
>
> [1] I personally would have preferred directed identity as a separate
> spec, but there we go. You can't win 'em all. :)
>
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security
>
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061028/ebd62eb8/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eddy_nigg.vcf
Type: text/x-vcard
Size: 636 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061028/ebd62eb8/attachment-0002.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7282 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061028/ebd62eb8/attachment-0002.bin>
More information about the security
mailing list