Trust/threat model for OpenID

Dick Hardt dick at
Fri Jul 28 15:23:23 UTC 2006

I'd like to see you finish it.

-- Dick

On 28-Jul-06, at 7:51 AM, David Strauss wrote:

> Yes, I've done such an analysis. I used what's called "BAN logic."  
> It's
> a formal academic notation for analyzing security protocols and  
> whether
> their assumptions (of various types) are justified.
> The biggest hole is when the identity URL page is fetched without SSL
> (or any other signing protocol).
> I have a half-written paper on the BAN analysis I performed. I'll  
> finish
> it if anyone's interested.
> David Strauss
> Gabe Wachob wrote:
>> Has someone written up a trust/security model for OpenID (ie who
>> trusts who for what, and what the threats are to the parties
>> involved?)
>> I'm not sure what assumptions are being made about the participating
>> parties so I'm not terribly comfortable assessing its use for a
>> variety of environments other than things like SSO to livejournal for
>> posting comments ;-)
>> TIA
>>    -Gabe

More information about the yadis mailing list