Trust/threat model for OpenID
drummond.reed at cordance.net
Mon Jul 31 17:15:18 UTC 2006
Ben, I'll have to defer to David and Josh on your question about the precise
location in the OpenID 2.0 spec, and to JanRain (or others) on the status of
implementations. As far as "the default behavior", that's not quite the
right question: this is a feature that an OpenID IdP/i-broker either
implements or not. If they've implemented it, a user can do anonymous login
simply by using the identifier of their IdP/i-broker. So it's up to a user
whether they want to be anonymous or not.
From: Ben Hyde [mailto:bhyde at pobox.com]
Sent: Monday, July 31, 2006 6:18 AM
To: OpenID Discussion
Cc: Drummond Reed
Subject: Re: Trust/threat model for OpenID
Thanks Drummond. I have read those, and it's some comfort to hear
that you believe that use case is covered. I didn't see it. Is
this currently implemented in any of the implementations? It be the
On Jul 30, 2006, at 6:36 PM, Drummond Reed wrote:
> Yes, Ben, the use case of having OpenID IdP's generate anonymous
> URLs is
> covered in the OpenID 2.0 specs. See http://openid.net/specs.bml
> shown there is draft 5 -- it's up to draft 7 at this point I believe.)
> Which reminds me -- David (Recordon) or Josh (Hoyt): can you make
> sure to
> keep the link current at OpenID.net to the current OpenID 2.0
> Working Draft?
> It would be great if there was only one place we had to look,
> especially as
> the Working Drafts are being updated almost weekly.
> -----Original Message-----
> From: yadis-bounces at lists.danga.com [mailto:yadis-
> bounces at lists.danga.com]
> On Behalf Of Ben Hyde
> Sent: Sunday, July 30, 2006 9:05 AM
> To: OpenID Discussion
> Subject: Re: Trust/threat model for OpenID
> Responding to: "impossible in many cases because of legal
> In the US most vendor's terms and conditions capture extremely broad
> rights to the information they accumulate. Legal protections are a
> valuable tool; but in the US it is currently difficult to get them
> established without the enthusiastic buy in of the larger account
> holding entities. For example they like them if they provide clarity
> about their liability and/or raise barriers to entry for late
> This, in part, is why there was so much effort expended to keep
> the US social security number from becoming a unique identifier.
> So one of the design challenges as OpenID goes forward is to temper
> the risk that these identity URLs don't create similar issues.
> Reaching back into history: http://lists.danga.com/pipermail/yadis/
>> However, this is not to say, a site (Craigslist for instance) can't
>> piggyback OpenID on top of its anonymizing code and provide its users
>> with an anonymous URL that can be asserted without tying it to an
>> individual user:
> That would help this issue. Is this possible?
> - ben
> On Jul 29, 2006, at 1:43 PM, Timothy Parez wrote:
>> This might be impossible in many cases because of legal restrictions.
>> Depending of course on the information being exchanged.
>> -----Oorspronkelijk bericht-----
>> Van: yadis-bounces at lists.danga.com [mailto:yadis-
>> bounces at lists.danga.com]
>> Namens Ben Hyde
>> Verzonden: zaterdag 29 juli 2006 17:28
>> Aan: OpenID Discussion
>> Onderwerp: Re: Trust/threat model for OpenID
>> David - I'm not familiar with a BAN analysis. Does it have anything
>> to say about, just to pick some thing at random - that open id
>> two service providers to gossip about the user behind his back?
>> the user is encouraged to give them both the same identity URL it's
>> easy for them to trade user models (account data) with each other.
>> On Jul 28, 2006, at 10:51 AM, David Strauss wrote:
>>> Yes, I've done such an analysis. I used what's called "BAN logic."
>>> a formal academic notation for analyzing security protocols and
>>> their assumptions (of various types) are justified.
>>> The biggest hole is when the identity URL page is fetched without
>>> (or any other signing protocol).
>>> I have a half-written paper on the BAN analysis I performed. I'll
>>> it if anyone's interested.
>>> David Strauss
>>> Gabe Wachob wrote:
>>>> Has someone written up a trust/security model for OpenID (ie who
>>>> trusts who for what, and what the threats are to the parties
>>>> I'm not sure what assumptions are being made about the
>>>> parties so I'm not terribly comfortable assessing its use for a
>>>> variety of environments other than things like SSO to livejournal
>>>> posting comments ;-)
More information about the yadis