Trust/threat model for OpenID

Ben Hyde bhyde at
Sun Jul 30 16:04:30 UTC 2006

Responding to: "impossible in many cases because of legal restrictions"

In the US most vendor's terms and conditions capture extremely broad
rights to the information they accumulate.  Legal protections are a
valuable tool; but in the US it is currently difficult to get them
established without the enthusiastic buy in of the larger account
holding entities.  For example they like them if they provide clarity
about their liability and/or raise barriers to entry for late entrants.

This, in part, is why there was so much effort expended to keep
the US social security number from becoming a unique identifier.
So one of the design challenges as OpenID goes forward is to temper
the risk that these identity URLs don't create similar issues.

Reaching back into history: 
> However, this is not to say, a site (Craigslist for instance) can't
> piggyback OpenID on top of its anonymizing code and provide its users
> with an anonymous URL that can be asserted without tying it to an
> individual user:

That would help this issue.  Is this possible?

  - ben

On Jul 29, 2006, at 1:43 PM, Timothy Parez wrote:
> This might be impossible in many cases because of legal restrictions.
> Depending of course on the information being exchanged.
> -----Oorspronkelijk bericht-----
> Van: yadis-bounces at [mailto:yadis- 
> bounces at]
> Namens Ben Hyde
> Verzonden: zaterdag 29 juli 2006 17:28
> Aan: OpenID Discussion
> Onderwerp: Re: Trust/threat model for OpenID
> David - I'm not familiar with a BAN analysis.   Does it have anything
> to say about, just to pick some thing at random - that open id enables
> two service providers to gossip about the user behind his back?  Since
> the user is encouraged to give them both the same identity URL it's
> easy for them to trade user models (account data) with each other.
> On Jul 28, 2006, at 10:51 AM, David Strauss wrote:
>> Yes, I've done such an analysis. I used what's called "BAN logic."
>> It's
>> a formal academic notation for analyzing security protocols and
>> whether
>> their assumptions (of various types) are justified.
>> The biggest hole is when the identity URL page is fetched without SSL
>> (or any other signing protocol).
>> I have a half-written paper on the BAN analysis I performed. I'll
>> finish
>> it if anyone's interested.
>> David Strauss
>> Gabe Wachob wrote:
>>> Has someone written up a trust/security model for OpenID (ie who
>>> trusts who for what, and what the threats are to the parties
>>> involved?)
>>> I'm not sure what assumptions are being made about the participating
>>> parties so I'm not terribly comfortable assessing its use for a
>>> variety of environments other than things like SSO to livejournal  
>>> for
>>> posting comments ;-)
>>> TIA
>>>    -Gabe

More information about the yadis mailing list