OpenID Security

[Peter Watkins]

On Fri, Feb 06, 2009 at 03:43:30PM -0500, McGovern, James F (HTSC, IT) wrote:

> 2. Which is worse, having to sort through false positives or to not
> perform static analysis at all and have OpenID fail once some bad guy
> busts the implementation so badly that everyone runs away from OpenID?

What do you mean, "the" implementation? There is no "the" implementation.

Are you arguing that for the OpenID *protocol* to succeed, every 
*implementation* has to be "secure"? That sounds like a marketing problem
to me, and it's one you solve by having math/crypto experts ensure the 
*protocol* is good. Period. When someone finds a bug in Postfix, we don't
say SMTP is broken and run away from email; we say Postfix version 
such-and-such is broken, Wietse fixes it, and we go on.

I suppose you could argue for protocol compliance tools as part of 
protecting the OpenID image -- at least that might allow OpenID proponents
to disown any insecure library that happened to fail the protocol tests.
But I wouldn't expect too much from that, either. Automated testing is
good for finding obvious problems, but it's no replacement for good, smart
programming, and not a cure for bad code. I'd feel more comfortable with 
software that passed some long-running fuzzing tests, but you really don't 
want to be vouching for the "security" of specific implementations. That's
just asking for trouble.

-Peter