[security] OpenID Security Best Practices Doc

Allen Tom atom at yahoo-inc.com
Tue Jun 9 05:38:40 UTC 2009 

David Fuelling wrote:
>
> That said, I am looking for some clarity on the whole "Working Group" 
> idea.  I know there's an OpenID 2.1 draft charter that's on the wiki 
> (and has been circulated on this list), but I haven't seen much 
> activity surrounding this.  In fact, this past week I've been trying 
> to "push this along" a bit by posting some discussion points about 
> Discovery and Auth 2.1, and trying to (as a community) determine if we 
> should separate this into two WG's --> Discovery 2.1 and the rest of 2.1.

Is the community ready to move forward with OpenID 2.1? I do believe 
that we really need a security best practices document, and it shouldn't 
have to wait until OpenID 2.1 is finalized.

>
> Anyway, when you said you had been "nominated", it made me think 
> there's some shadow process going on behind the scenes when it comes 
> to these Working Groups. 
At the December 2008 IIW, I was either nominated or was volunteered to 
work on Security Best Practices document after I strongly advocated that 
the community write one.

> Am I missing something?  Are there "private" WG discussions going on 
> that the rest of us can't see?
The security best practices document was first discussed at the December 
2008 IIW session on OpenID 2.1, completely in the open.

> Or are you just "taking some initiative", as it were?
Well, I'd been procrastinating for more than 6 months, but I think we 
waited long enough. More and more sites want to deploy OpenID, and it's 
about time we had a security document that potential implementers can 
read, other than just reading the specs, and various blog posts.


> -- I'm really just looking to get "in the loop" on this Working Group 
> business, assuming I'm out if currently).
I believe that the process requires the WG proposers to take their 
proposal to the Specifications council who will review the proposal and 
give their recommendation to the general membership of the OIDF to 
either approve or deny the request to form the WG. The general 
membership then votes on the proposal, and if the proposal is approved, 
the WG is formed. There's also a very painful process for the WG members 
to get their employers to approve their participation in the WG.

The WG proposals that seem to be stalled right now appear to be OpenID 
2.1, SREG 1.1, and AX 2.0.

At least with regards to SREG 1.1 and AX 2.0, I believe that the 
proposers are waiting for their employers to approve their 
participation. Where is Dick Hardt? The OpenID world misses you!

I'm not sure about the status on OpenID 2.1, but at least for myself, 
I'm more focused on the immediate goals of getting OpenID OAuth Hybrid 
and the OpenID UI Extensions finalized.

The OpenID Wiki says that the Discovery WG proposal has been sent to the 
specs council, but I have not seen the proposal yet.

Allen

More information about the security mailing list