Trust/threat model for OpenID

Timothy Parez timothyparez at
Sat Jul 29 17:43:24 UTC 2006

This might be impossible in many cases because of legal restrictions.
Depending of course on the information being exchanged.

-----Oorspronkelijk bericht-----
Van: yadis-bounces at [mailto:yadis-bounces at]
Namens Ben Hyde
Verzonden: zaterdag 29 juli 2006 17:28
Aan: OpenID Discussion
Onderwerp: Re: Trust/threat model for OpenID

David - I'm not familiar with a BAN analysis.   Does it have anything
to say about, just to pick some thing at random - that open id enables
two service providers to gossip about the user behind his back?  Since
the user is encouraged to give them both the same identity URL it's
easy for them to trade user models (account data) with each other.

On Jul 28, 2006, at 10:51 AM, David Strauss wrote:

> Yes, I've done such an analysis. I used what's called "BAN logic."  
> It's
> a formal academic notation for analyzing security protocols and  
> whether
> their assumptions (of various types) are justified.
> The biggest hole is when the identity URL page is fetched without SSL
> (or any other signing protocol).
> I have a half-written paper on the BAN analysis I performed. I'll  
> finish
> it if anyone's interested.
> David Strauss
> Gabe Wachob wrote:
>> Has someone written up a trust/security model for OpenID (ie who
>> trusts who for what, and what the threats are to the parties
>> involved?)
>> I'm not sure what assumptions are being made about the participating
>> parties so I'm not terribly comfortable assessing its use for a
>> variety of environments other than things like SSO to livejournal for
>> posting comments ;-)
>> TIA
>>    -Gabe

More information about the yadis mailing list