Trust/threat model for OpenID

Johannes Ernst at
Fri Jul 28 20:05:49 UTC 2006

On Jul 28, 2006, at 11:36, Peter Davis wrote:

> Well, you are not authenticating the binding of the identifier with  
> a user
> agent, really.  You are relying on a third party, who claims the
> relationship... Nothing more.  So relying parties to assertions  
> from unknown
> IDPs beware.

I'd put it differently. The only thing that authentication of an  
identifier (e.g. OpenID with a URL or XRI) can do is to prove to a  
relying party, when presented for the *second* time, that the client  
is the same entity that came by the first time.

It says nothing about what that entity is -- whether it is a  
particular person, a person at all, a group of people, a piece of  
software or an RFID tag. (If defined this way, having an identifier  
whose IdP does not require a password is nothing exceptional -- it  
just represents the group of all people who happened to notice that  
the IdP did not require an identifier and bothered to use it)

[I was reluctant to use the word "only" above, because it turns out  
that as little as this proves, one can do some rather amazing things  
as we all have collectively shown already.]

There a second part (but it's a second part, in my mind) where there  
is a third entity in the system that makes certain assertions about  
the relationship of identifiers and real-world people. This third  
entity may or may not be the party that runs the software supporting  
the identifier in question, but that's the entity we need to trust if  
we want to trust assertions about the relationship between  
identifiers and real-world people. However, because this is the  
"second part", unknown IdPs only may have detrimental consequences  
for this particular application of the more basic idea outlined above.

In other words, whether this is dangerous or not entirely depends on  
your use case...

Johannes Ernst
NetMesh Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 973 bytes
Desc: not available
Url :
-------------- next part --------------

More information about the yadis mailing list