Trust/threat model for OpenID
Dick Hardt
dick at sxip.com
Fri Jul 28 15:23:23 UTC 2006
I'd like to see you finish it.
-- Dick
On 28-Jul-06, at 7:51 AM, David Strauss wrote:
> Yes, I've done such an analysis. I used what's called "BAN logic."
> It's
> a formal academic notation for analyzing security protocols and
> whether
> their assumptions (of various types) are justified.
>
> The biggest hole is when the identity URL page is fetched without SSL
> (or any other signing protocol).
>
> I have a half-written paper on the BAN analysis I performed. I'll
> finish
> it if anyone's interested.
>
> David Strauss
>
> Gabe Wachob wrote:
>> Has someone written up a trust/security model for OpenID (ie who
>> trusts who for what, and what the threats are to the parties
>> involved?)
>>
>> I'm not sure what assumptions are being made about the participating
>> parties so I'm not terribly comfortable assessing its use for a
>> variety of environments other than things like SSO to livejournal for
>> posting comments ;-)
>>
>> TIA
>>
>> -Gabe
>>
>
>
More information about the yadis
mailing list