[security] OpenID Security Best Practices Doc

[David Fuelling]

On Tue, Jun 9, 2009 at 5:38 AM, Allen Tom <atom at yahoo-inc.com> wrote:

> Is the community ready to move forward with OpenID 2.1?


I can't necessarily speak for the community, but I'd at least like to move
forward with the 2.1 Discovery WG.  The output of that is expected to be a
"best practices" document relating to Discovery that would (it is expected)
be used in the regular OpenID 2.1 WG.

I'm not opposed to doing all of this in parallel.


> I do believe that we really need a security best practices document, and it
> shouldn't have to wait until OpenID 2.1 is finalized.
>

+1


>
>> Anyway, when you said you had been "nominated", it made me think there's
>> some shadow process going on behind the scenes when it comes to these
>> Working Groups.
>>
> At the December 2008 IIW, I was either nominated or was volunteered to work
> on Security Best Practices document after I strongly advocated that the
> community write one.
>

Cool.  Like I said, I wasn't trying to say you shouldn't be doing this
work.  I just wanted to make sure it was "open".  I wasn't at IIW, so that
explains my disconnect.


> Am I missing something?  Are there "private" WG discussions going on that
>> the rest of us can't see?
>>
> The security best practices document was first discussed at the December
> 2008 IIW session on OpenID 2.1, completely in the open.
>

See my comment above.



> Or are you just "taking some initiative", as it were?
>>
> Well, I'd been procrastinating for more than 6 months, but I think we
> waited long enough. More and more sites want to deploy OpenID, and it's
> about time we had a security document that potential implementers can read,
> other than just reading the specs, and various blog posts.
>

:)  -- I'm glad you've started working on this.  It's important to have.



>  -- I'm really just looking to get "in the loop" on this Working Group
>> business, assuming I'm out if currently).
>>
> I believe that the process requires the WG proposers to take their proposal
> to the Specifications council who will review the proposal and give their
> recommendation to the general membership of the OIDF to either approve or
> deny the request to form the WG. The general membership then votes on the
> proposal, and if the proposal is approved, the WG is formed. There's also a
> very painful process for the WG members to get their employers to approve
> their participation in the WG.
>
> The WG proposals that seem to be stalled right now appear to be OpenID 2.1,
> SREG 1.1, and AX 2.0.
>

> At least with regards to SREG 1.1 and AX 2.0, I believe that the proposers
> are waiting for their employers to approve their participation. Where is
> Dick Hardt? The OpenID world misses you!
>
> I'm not sure about the status on OpenID 2.1, but at least for myself, I'm
> more focused on the immediate goals of getting OpenID OAuth Hybrid and the
> OpenID UI Extensions finalized.
>

I for one would like to move forward on the 2.1 Discovery WG.  XRD will be a
big part of that, but at this point it seems like much of XRD has been
solidified (at least, enough for us to begin the 2.1 Discovery WG).


> The OpenID Wiki says that the Discovery WG proposal has been sent to the
> specs council, but I have not seen the proposal yet.
>

 I think this is the proposal:
http://wiki.openid.net/OpenID-Discovery
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20090609/c3e76a67/attachment.htm>