Non-reputability vs plausible deniability with OpenID

Steven J. Murdoch yadis+Steven.Murdoch at cl.cam.ac.uk
Fri Sep 30 10:41:08 PDT 2005 

Another thing I have been considering with OpenID is the reputability
of authentications. Has anyone thought about this?

Signature schemes like PGP have the property of non-reputability. This
means that once Alice has signed a message and sent it to Bob, she can
not later say that she did not. This is because anyone can verify a
signature without Alice's help, and without trusting Bob, but only
Alice could sign the message. This property is useful for contacts, so
that Alice cannot renege on the terms.

However this is different to how a normal conversation works. When
Alice and Bob are speaking in private, both Alice and Bob know what is
said, and know they are really talking to Alice/Bob, but once the
conversation is over, they cannot prove this to anyone else. This
property is called plausible-deniability or reputability. There are
more details about this in the OTR (Off-the-Record) paper [1].

I think that the latter option is more desirable for OpenID. The
consumer needs to know they are talking to the authenticated identity,
but there is no need for them to be able to demonstrate this to
someone else. For example, say Alice posts to a political website run
by Bob using OpenID and later the political climate in the country
changes and Bob hands over logs to the government. It would be
desirable in this case for Alice to deny that she used that website,
and Bob not be able to prove otherwise. 

Where non-reputability is desirable, comment signing could be used.
For example PGP, or comment signing in a future version of OpenID.

In Smart-Mode OpenID already is very close to providing
non-reputability, or perhaps does it already. This is because the HMAC
authentication key is shared between the server and consumer. When the
server receives the HMAC, it could store it. However this doesn't
allow the consumer prove that the HMAC was valid, since the consumer
knows the HMAC key and hence could have spoofed it. This is how OTR
[1] achieves plausible deniability.

With Dumb-Mode the situation is a bit different - here, using the
obvious implementation the signature is still an HMAC, but the
consumer does not have the signing key. So a consumer could take the
HMAC and send it to someone else. They could send it to the
authentication server and confirm that it is real.

Perhaps this can be changed. For example, the authentication server
could warn that a dumb-mode transaction cannot be repudiated so the
user agent can refuse this type of transaction. Maybe dumb mode can be
improved to prevent non-repudiation, for example by publishing keys
(as OTR does), or by rotating keys once they are used. Or maybe
dumb-mode should be dropped, and instead consumers must request a MAC
key, but they still can use check_authentication to ask the server to
verify the MAC.

Thank you,
Steven Murdoch.

[1] "Off-the-Record Communication, or, Why Not To Use PGP" by
     Nikita Borisov, Ian Goldberg, Eric Brewer
     http://www.cypherpunks.ca/otr/otr-wpes.pdf
-- 
w: http://www.cl.cam.ac.uk/users/sjm217/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.danga.com/pipermail/yadis/attachments/20050930/7b8a387e/attachment.pgp

More information about the yadis mailing list