Trust/threat model for OpenID
Roland Sassen
sassen at thinsia.com
Fri Jul 28 15:31:27 UTC 2006
I´m looking forward to it,
Roland
Dick Hardt wrote:
> I'd like to see you finish it.
>
> -- Dick
>
> On 28-Jul-06, at 7:51 AM, David Strauss wrote:
>
>> Yes, I've done such an analysis. I used what's called "BAN logic." It's
>> a formal academic notation for analyzing security protocols and whether
>> their assumptions (of various types) are justified.
>>
>> The biggest hole is when the identity URL page is fetched without SSL
>> (or any other signing protocol).
>>
>> I have a half-written paper on the BAN analysis I performed. I'll finish
>> it if anyone's interested.
>>
>> David Strauss
>>
>> Gabe Wachob wrote:
>>> Has someone written up a trust/security model for OpenID (ie who
>>> trusts who for what, and what the threats are to the parties
>>> involved?)
>>>
>>> I'm not sure what assumptions are being made about the participating
>>> parties so I'm not terribly comfortable assessing its use for a
>>> variety of environments other than things like SSO to livejournal for
>>> posting comments ;-)
>>>
>>> TIA
>>>
>>> -Gabe
>>>
>>
>>
>
>
>
>
> --No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.394 / Virus Database: 268.10.4/396 - Release Date:
> 24.07.2006
>
>
More information about the yadis
mailing list