Saturday, August 25, 2007

Brands as medicine man

Stefan Brands recently did a hatchet job on OpenID which garnered quite a bit of comment. Now I'm not a big fan of OpenID, but somehow whenever Stefan makes that much effort to attack something I almost instinctively react to defend the thing he savages. In this case, though, his half-truths, omissions and over-simplifications are best handled by David Recordon in his response to the diatribe.

I only wish to point out Stefan's answer to Scott Kveton's posting which pointed to David's:

"OpenID to me is Web 2.0’s equivalent of green tea. I have nothing against green tea (I drink it from time to time), and in fact it is widely believed to have various positive health effects Where things get dangerous is when green tea is seen as (let alone hyped as) the cure for all kinds of serious health conditions where people _really_ should visit a doctor. While green tea might have a positive effect for, say, cardiovascular disease, it would be irresponsible if not immoral if patients were lead to believe that there is no need anymore for medication or surgery.

OpenID is currently being seen by various parties as a healthy foundation for much more serious identity and access management applications where a lot more is at stake than someone impersonating or tracking your blog comments. The recent announcement by Estonia IT folks that they are experimenting with tying OpenID into a national ID card scheme for Estonia is an example of this. Personally I find that a very worrisome trend. My colleagues and I have looked into OpenID, to see if we can combine our 'medical equipment' with your 'green tea,' but the two simply don’t mix."

The sarcasm here doesn't drip, it flows. But all it does is to paint Stefan (and his 'colleagues') as 18th century psuedo-scientific quacks railing against the "primitive" folk medicines brought back from the South American jungles, such as Quinine. Stefan firmly believes that, no matter what the question may be, the answer is PKI. That is very dangerous thinking.


"...are best handled by David Recordon in his response"

David's response was quite interesting: "Yes, phishing is a problem with PayPal, Google AuthSub, Yahoo! BBAuth, AOL OpenAuth, and OpenID. All of these protocols start with a user at a potentially un-trusted site then being redirected to a trusted site where they are supposed to enter their credentials. While OpenID may make this worse..."

This quote echoes the sentiments that you'll find when you dig through the various OpenID mailing list archives. While reading them, one sees a philosophy that security either isn't important enough to consider from the get-go or that it can somehow be bolted on afterward (or worse, left as an implementation detail). If the goal was to create a new convenient method for people to post blog comments, then more power to 'em. If the goal was to build an authentication mechanism for use in value transactions, then they're not doing anyone any favors by not building security into the core from the start.

"The sarcasm here doesn't drip, it flows."

I think you must be confusing analogy for sarcasm.

and his 'colleagues'

Are you trying to insinuate that such people are (a) not co-workers of Stefan's, (b) aren't people, or (c) don't exist? I can assure you that I'm all three.

...psuedo-scientific quacks...

Um, what?

Stefan firmly believes that, no matter what the question may be, the answer is PKI.

Ah, now I understand. You clearly must be talking about a different Stefan Brands. The one who responded to David Recordon's blog posting, you know, the guy with the Ph. D. in cryptography, has spent the better part of the last, oh I don't know, fifteen years, working on fixing various privacy problems with PKIs. To claim that his answer to any question is PKI is outrageous. Although there are situations where PKI is appropriate (ever visited one of those Web sites with a little 's' before the colon in the URL?), Stefan's work is not about promoting PKI as the answer to all authentication questions (and certainly not all questions; who would answer "PKI!" to "I'm getting myself a coffee, want one?").
Post a Comment

© 2003-2006 The Virtual Quill, All Rights Reserved


[Powered by Blogger]