Trust/threat model for OpenID

David Strauss mailinglists at fourkitchens.com
Sat Jul 29 19:11:58 UTC 2006


Instead of retyping it here, I'll just point you to the Wikipedia
article. I wrote the introduction:

http://en.wikipedia.org/wiki/Burrows-Abadi-Needham_logic

The weakest part of BAN logic is its lack of ability to tell you
information leaked if you do something really stupid. BAN logic is
primarily for authentication, not encryption.

- David

Ben Hyde wrote:
> David - I'm not familiar with a BAN analysis.   Does it have anything
> to say about, just to pick some thing at random - that open id enables
> two service providers to gossip about the user behind his back?  Since
> the user is encouraged to give them both the same identity URL it's
> easy for them to trade user models (account data) with each other.
> 
> On Jul 28, 2006, at 10:51 AM, David Strauss wrote:
> 
>> Yes, I've done such an analysis. I used what's called "BAN logic." It's
>> a formal academic notation for analyzing security protocols and whether
>> their assumptions (of various types) are justified.
>>
>> The biggest hole is when the identity URL page is fetched without SSL
>> (or any other signing protocol).
>>
>> I have a half-written paper on the BAN analysis I performed. I'll finish
>> it if anyone's interested.
>>
>> David Strauss
>>
>> Gabe Wachob wrote:
>>> Has someone written up a trust/security model for OpenID (ie who
>>> trusts who for what, and what the threats are to the parties
>>> involved?)
>>>
>>> I'm not sure what assumptions are being made about the participating
>>> parties so I'm not terribly comfortable assessing its use for a
>>> variety of environments other than things like SSO to livejournal for
>>> posting comments ;-)
>>>
>>> TIA
>>>
>>>    -Gabe
>>>
>>
>>
> 



More information about the yadis mailing list