Trust/threat model for OpenID
drummond.reed at cordance.net
Sun Jul 30 22:36:09 UTC 2006
Yes, Ben, the use case of having OpenID IdP's generate anonymous URLs is
covered in the OpenID 2.0 specs. See http://openid.net/specs.bml (what's
shown there is draft 5 -- it's up to draft 7 at this point I believe.)
Which reminds me -- David (Recordon) or Josh (Hoyt): can you make sure to
keep the link current at OpenID.net to the current OpenID 2.0 Working Draft?
It would be great if there was only one place we had to look, especially as
the Working Drafts are being updated almost weekly.
From: yadis-bounces at lists.danga.com [mailto:yadis-bounces at lists.danga.com]
On Behalf Of Ben Hyde
Sent: Sunday, July 30, 2006 9:05 AM
To: OpenID Discussion
Subject: Re: Trust/threat model for OpenID
Responding to: "impossible in many cases because of legal restrictions"
In the US most vendor's terms and conditions capture extremely broad
rights to the information they accumulate. Legal protections are a
valuable tool; but in the US it is currently difficult to get them
established without the enthusiastic buy in of the larger account
holding entities. For example they like them if they provide clarity
about their liability and/or raise barriers to entry for late entrants.
This, in part, is why there was so much effort expended to keep
the US social security number from becoming a unique identifier.
So one of the design challenges as OpenID goes forward is to temper
the risk that these identity URLs don't create similar issues.
Reaching back into history: http://lists.danga.com/pipermail/yadis/
> However, this is not to say, a site (Craigslist for instance) can't
> piggyback OpenID on top of its anonymizing code and provide its users
> with an anonymous URL that can be asserted without tying it to an
> individual user:
That would help this issue. Is this possible?
On Jul 29, 2006, at 1:43 PM, Timothy Parez wrote:
> This might be impossible in many cases because of legal restrictions.
> Depending of course on the information being exchanged.
> -----Oorspronkelijk bericht-----
> Van: yadis-bounces at lists.danga.com [mailto:yadis-
> bounces at lists.danga.com]
> Namens Ben Hyde
> Verzonden: zaterdag 29 juli 2006 17:28
> Aan: OpenID Discussion
> Onderwerp: Re: Trust/threat model for OpenID
> David - I'm not familiar with a BAN analysis. Does it have anything
> to say about, just to pick some thing at random - that open id enables
> two service providers to gossip about the user behind his back? Since
> the user is encouraged to give them both the same identity URL it's
> easy for them to trade user models (account data) with each other.
> On Jul 28, 2006, at 10:51 AM, David Strauss wrote:
>> Yes, I've done such an analysis. I used what's called "BAN logic."
>> a formal academic notation for analyzing security protocols and
>> their assumptions (of various types) are justified.
>> The biggest hole is when the identity URL page is fetched without SSL
>> (or any other signing protocol).
>> I have a half-written paper on the BAN analysis I performed. I'll
>> it if anyone's interested.
>> David Strauss
>> Gabe Wachob wrote:
>>> Has someone written up a trust/security model for OpenID (ie who
>>> trusts who for what, and what the threats are to the parties
>>> I'm not sure what assumptions are being made about the participating
>>> parties so I'm not terribly comfortable assessing its use for a
>>> variety of environments other than things like SSO to livejournal
>>> posting comments ;-)
More information about the yadis