Wednesday, September 05, 2007

Sanity check for OpenID

Bob Blakley offers a wisp of sanity for the, often cantankerous, debate over the formats, uses, security and usefulness of OpenID. As it puts it, there are all sorts of answers flying about - but it might be best to first form the appropriate question! In his own words:

"What I’d really like to see, as a security guy, is a problem statement and a risk analysis. Specifically, before we start arguing about whether OpenID 2.0 is the answer, I’d like to know the following things about the question..."

In particular, Bob wants answers to these questions (and he goes on to elaborate on them):

1. What are the assets to be protected?
2. What are the services to be offered?
3. What quality of protection is claimed for these services?
4. What is the threat model?
5. What is the trust model?
Perhaps, before Digital ID World at the end of this month (and the accompanying Identity Open Space meeting), some folks will be prepared with cogent answers.

Labels: , ,

Especially the 5th question is really important regarding OpenID. The answer is the OpenID does not have a trust model. It relies (quite blindly, quite incosistently and quite indirectly) on X.509 PKI used by HTTPS. Which is quite a foolish thing to do (yes, we have lot of fools nowadays).

You have provoked me. I have written a post for my blog:
Post a Comment

© 2003-2006 The Virtual Quill, All Rights Reserved


[Powered by Blogger]