Trust/threat model for OpenID
bhyde at pobox.com
Mon Jul 31 13:17:30 UTC 2006
Thanks Drummond. I have read those, and it's some comfort to hear
that you believe that use case is covered. I didn't see it. Is
this currently implemented in any of the implementations? It be the
On Jul 30, 2006, at 6:36 PM, Drummond Reed wrote:
> Yes, Ben, the use case of having OpenID IdP's generate anonymous
> URLs is
> covered in the OpenID 2.0 specs. See http://openid.net/specs.bml
> shown there is draft 5 -- it's up to draft 7 at this point I believe.)
> Which reminds me -- David (Recordon) or Josh (Hoyt): can you make
> sure to
> keep the link current at OpenID.net to the current OpenID 2.0
> Working Draft?
> It would be great if there was only one place we had to look,
> especially as
> the Working Drafts are being updated almost weekly.
> -----Original Message-----
> From: yadis-bounces at lists.danga.com [mailto:yadis-
> bounces at lists.danga.com]
> On Behalf Of Ben Hyde
> Sent: Sunday, July 30, 2006 9:05 AM
> To: OpenID Discussion
> Subject: Re: Trust/threat model for OpenID
> Responding to: "impossible in many cases because of legal
> In the US most vendor's terms and conditions capture extremely broad
> rights to the information they accumulate. Legal protections are a
> valuable tool; but in the US it is currently difficult to get them
> established without the enthusiastic buy in of the larger account
> holding entities. For example they like them if they provide clarity
> about their liability and/or raise barriers to entry for late
> This, in part, is why there was so much effort expended to keep
> the US social security number from becoming a unique identifier.
> So one of the design challenges as OpenID goes forward is to temper
> the risk that these identity URLs don't create similar issues.
> Reaching back into history: http://lists.danga.com/pipermail/yadis/
>> However, this is not to say, a site (Craigslist for instance) can't
>> piggyback OpenID on top of its anonymizing code and provide its users
>> with an anonymous URL that can be asserted without tying it to an
>> individual user:
> That would help this issue. Is this possible?
> - ben
> On Jul 29, 2006, at 1:43 PM, Timothy Parez wrote:
>> This might be impossible in many cases because of legal restrictions.
>> Depending of course on the information being exchanged.
>> -----Oorspronkelijk bericht-----
>> Van: yadis-bounces at lists.danga.com [mailto:yadis-
>> bounces at lists.danga.com]
>> Namens Ben Hyde
>> Verzonden: zaterdag 29 juli 2006 17:28
>> Aan: OpenID Discussion
>> Onderwerp: Re: Trust/threat model for OpenID
>> David - I'm not familiar with a BAN analysis. Does it have anything
>> to say about, just to pick some thing at random - that open id
>> two service providers to gossip about the user behind his back?
>> the user is encouraged to give them both the same identity URL it's
>> easy for them to trade user models (account data) with each other.
>> On Jul 28, 2006, at 10:51 AM, David Strauss wrote:
>>> Yes, I've done such an analysis. I used what's called "BAN logic."
>>> a formal academic notation for analyzing security protocols and
>>> their assumptions (of various types) are justified.
>>> The biggest hole is when the identity URL page is fetched without
>>> (or any other signing protocol).
>>> I have a half-written paper on the BAN analysis I performed. I'll
>>> it if anyone's interested.
>>> David Strauss
>>> Gabe Wachob wrote:
>>>> Has someone written up a trust/security model for OpenID (ie who
>>>> trusts who for what, and what the threats are to the parties
>>>> I'm not sure what assumptions are being made about the
>>>> parties so I'm not terribly comfortable assessing its use for a
>>>> variety of environments other than things like SSO to livejournal
>>>> posting comments ;-)
More information about the yadis