Trust/threat model for OpenID
dick at sxip.com
Fri Jul 28 15:23:23 UTC 2006
I'd like to see you finish it.
On 28-Jul-06, at 7:51 AM, David Strauss wrote:
> Yes, I've done such an analysis. I used what's called "BAN logic."
> a formal academic notation for analyzing security protocols and
> their assumptions (of various types) are justified.
> The biggest hole is when the identity URL page is fetched without SSL
> (or any other signing protocol).
> I have a half-written paper on the BAN analysis I performed. I'll
> it if anyone's interested.
> David Strauss
> Gabe Wachob wrote:
>> Has someone written up a trust/security model for OpenID (ie who
>> trusts who for what, and what the threats are to the parties
>> I'm not sure what assumptions are being made about the participating
>> parties so I'm not terribly comfortable assessing its use for a
>> variety of environments other than things like SSO to livejournal for
>> posting comments ;-)
More information about the yadis