[security] OpenID Security Best Practices Doc

Nate Klingenstein ndk at internet2.edu
Mon Jun 8 21:33:21 UTC 2009 

Allen,

Looks like an excellent first draft.  Here are a few modifications I'd  
find helpful.

1)  Might mention in the logout section for users that closing a  
browser will also (generally, thanks Firefox) terminate session cookies.
2)  I think authentication session duration is very deployment- 
specific and it would be difficult to make any general recommendations.
3)  I don't think the discussion of the benefits of https for user  
authentication to the OP is given enough emphasis.  It would be nice  
to state clearly the protection against MITM, promiscuous listeners,  
etc. that https provides, so that OP's realize exactly what protection  
TLS/SSL offers.
4)  I'd disentangle the wording about RP/OP trust from the specific  
point about PAPE.  Provider trust is a more general topic that is  
really important, and I think it merits its own section.  I'm happy to  
draft that if you'd like.
5)  For account linking, I'd clarify the text that so the need to  
authenticate the user separately from the assertion is explicit.
6)  Pull the replay warning into its own bullet, and mention the use  
of a timestamp to bound the time nonces must be stored for.
7)  Is it worth mentioning more generally anything about session or  
assertion hijacking and possible countermeasures?

Thanks for writing it,
Nate.

On Jun 8, 2009, at 9:03 PM, Allen Tom wrote:

> Hi All,
>
> As part of the OpenID 2.1 Working Group proposal, I've been  
> nominated to edit the OpenID Security Best Practices document, which  
> will be a living document that contains security related best  
> practices as determined by the community.
>
> Although we haven't officially  kicked off the OpenID 2.1 WG yet,  
> OpenID has been gaining a lot of momentum and interest lately, so  
> it's definitely time to start writing it.
>
> Here's a very rough draft that captures many security related  
> discussions that we've had on the OpenID mailing lists and also at  
> meetups like the Internet Identity Workshop.
>
> http://wiki.openid.net/OpenID-Security-Best-Practices
>
> Feedback and suggestions are more than welcome. As mentioned, this  
> is intended to be a living document, so we fully expect the document  
> to continue to evolve over time.
>
> Thanks
> Allen
>
>
>
>
>
>
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security

More information about the security mailing list