Trust/threat model for OpenID

Ben Hyde bhyde at
Mon Jul 31 13:17:30 UTC 2006

Thanks Drummond.  I have read those, and it's some comfort to hear
that you believe that use case is covered.  I didn't see it.  Is
this currently implemented in any of the implementations?  It be the
default behavior?

  - ben

On Jul 30, 2006, at 6:36 PM, Drummond Reed wrote:
> Yes, Ben, the use case of having OpenID IdP's generate anonymous  
> URLs is
> covered in the OpenID 2.0 specs. See  
> (what's
> shown there is draft 5 -- it's up to draft 7 at this point I believe.)
> Which reminds me -- David (Recordon) or Josh (Hoyt): can you make  
> sure to
> keep the link current at to the current OpenID 2.0  
> Working Draft?
> It would be great if there was only one place we had to look,  
> especially as
> the Working Drafts are being updated almost weekly.
> Thanks,
> =Drummond
> -----Original Message-----
> From: yadis-bounces at [mailto:yadis- 
> bounces at]
> On Behalf Of Ben Hyde
> Sent: Sunday, July 30, 2006 9:05 AM
> To: OpenID Discussion
> Subject: Re: Trust/threat model for OpenID
> Responding to: "impossible in many cases because of legal  
> restrictions"
> In the US most vendor's terms and conditions capture extremely broad
> rights to the information they accumulate.  Legal protections are a
> valuable tool; but in the US it is currently difficult to get them
> established without the enthusiastic buy in of the larger account
> holding entities.  For example they like them if they provide clarity
> about their liability and/or raise barriers to entry for late  
> entrants.
> This, in part, is why there was so much effort expended to keep
> the US social security number from becoming a unique identifier.
> So one of the design challenges as OpenID goes forward is to temper
> the risk that these identity URLs don't create similar issues.
> Reaching back into history:
> 2005-May/000146.html
>> However, this is not to say, a site (Craigslist for instance) can't
>> piggyback OpenID on top of its anonymizing code and provide its users
>> with an anonymous URL that can be asserted without tying it to an
>> individual user:
> That would help this issue.  Is this possible?
>   - ben
> On Jul 29, 2006, at 1:43 PM, Timothy Parez wrote:
>> This might be impossible in many cases because of legal restrictions.
>> Depending of course on the information being exchanged.
>> -----Oorspronkelijk bericht-----
>> Van: yadis-bounces at [mailto:yadis-
>> bounces at]
>> Namens Ben Hyde
>> Verzonden: zaterdag 29 juli 2006 17:28
>> Aan: OpenID Discussion
>> Onderwerp: Re: Trust/threat model for OpenID
>> David - I'm not familiar with a BAN analysis.   Does it have anything
>> to say about, just to pick some thing at random - that open id  
>> enables
>> two service providers to gossip about the user behind his back?   
>> Since
>> the user is encouraged to give them both the same identity URL it's
>> easy for them to trade user models (account data) with each other.
>> On Jul 28, 2006, at 10:51 AM, David Strauss wrote:
>>> Yes, I've done such an analysis. I used what's called "BAN logic."
>>> It's
>>> a formal academic notation for analyzing security protocols and
>>> whether
>>> their assumptions (of various types) are justified.
>>> The biggest hole is when the identity URL page is fetched without  
>>> SSL
>>> (or any other signing protocol).
>>> I have a half-written paper on the BAN analysis I performed. I'll
>>> finish
>>> it if anyone's interested.
>>> David Strauss
>>> Gabe Wachob wrote:
>>>> Has someone written up a trust/security model for OpenID (ie who
>>>> trusts who for what, and what the threats are to the parties
>>>> involved?)
>>>> I'm not sure what assumptions are being made about the  
>>>> participating
>>>> parties so I'm not terribly comfortable assessing its use for a
>>>> variety of environments other than things like SSO to livejournal
>>>> for
>>>> posting comments ;-)
>>>> TIA
>>>>    -Gabe

More information about the yadis mailing list