Re[4]: [PROPOSAL] authentication age

2006-10-04 Thread Chris Drake
Hi Gabe,

Beautifully worded, and (IMHO) an extremely valuable real-world
opinion.  I too believe OpenID is currently a non-starter.  I have
dual vested interests:  I want OpenID to succeed, *especially* for RPs
like Visa, since my IdP makes money from supporting OpenID only when
OpenID ends up getting used.  I also believe that an IdP (and mine in
particular) is well suited for deploying secure technology (eg: two
factor tokens).  If, aside from making OpenID actually *work* for the
likes of Visa, we can build in the ability to provide a tangible
*benefit* to Visa from using it (that is: allow visa to REQUIRE that a
user has authenticate via two-factor means, to an accredited - i.e:
explicitly trusted by Visa - IdP) then we've not only cemented the
future of OpenID, we've gone an improved a pile of security problems
along the way.

Kind Regards,
Chris Drake
1id.com

Thursday, October 5, 2006, 1:41:34 PM, you wrote:

GW Chris-
GW As someone who has recently come from working in the financial
GW sector (Visa), its clear that OpenID is NOT intended for authentication
GW where the *relying party* cares about how the authentication is performed.

GW At places like Visa and for home banking, this means that OpenID,
GW without something more, is clearly a . These relying parties want
GW to know exactly how their users are being authenticated because their
GW business is all about risk management and creating business opportunities
GW around very good knowledge of the risk profile of each transaction type.

GW That all being said, I believe it should be possible to layer on
GW OpenID a form of IDP control such that a relying party can require a certain
GW class or group of IDPs be used when presenting authentication assertions to
GW them. The actual *policy* for how these IDPs are approved is probably
GW orthogonal to the protocol spec, but secure identification of those IDPs
GW (relative to some trust root, etc) could probably be made into an extension
GW usable for those parties who want it. 

GW My guess is that culturally, most people involved in OpenID have
GW *not* been interested in addressing these concerns. However, expectations
GW need to be better managed around these sort of relying-party cares
GW scenarios, because its not obvious without actually reading the specs
GW themselves...

GW -Gabe

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf
 Of Chris Drake
 Sent: Wednesday, October 04, 2006 8:26 PM
 To: Kevin Turner
 Cc: specs@openid.net
 Subject: Re[2]: [PROPOSAL] authentication age
 
 Hi Kevin,
 
 Sounds like you're leaning towards a root authority for IdPs who can
 audit procedures and verify protection in order to sign the IdP's
 keys?
 
 Joe blogger doesn't care much about identity assertions from an IdP,
 but it's a reasonable bet to expect that a Bank might care...
 
 Kind Regards,
 Chris Drake
 
 
 ___
 specs mailing list
 specs@openid.net
 http://openid.net/mailman/listinfo/specs



___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


RE: Re[4]: [PROPOSAL] authentication age

2006-10-04 Thread Drummond Reed
+1 to one key takeaway from this whole thread: that the
marketing/evangelism/messaging around OpenID MUST be very careful to clearly
communicate, in Gabe's words, what it can and cannot do right now.
Especially when it comes to hard problems like authentication context and
circles of trust that SAML and Liberty Alliance have been cranking for 5+
years at. As long as we  communicated clearly so expectations aren't raised
and then not met then we should give OpenID the runway it needs to grow
into those problems, just like 802.11 started thin and grew to become
nearly ubiquitous.

=Drummond 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Gabe Wachob
Sent: Wednesday, October 04, 2006 9:09 PM
To: 'Chris Drake'
Cc: specs@openid.net
Subject: RE: Re[4]: [PROPOSAL] authentication age

Chris-
I don't mean to be pessimistic about OpenID *AT ALL* - I truly do
believe that OpenID *WILL* get to the point where its valuable for the Visas
of the world. I don't want to stall it for the other use cases that are
motivating the people who are currently involved - I think OpenID can
quickly evolve when needed. OpenID should be as lightweight as needed for
the use case - and I so I think OpenID is great where it is. 
Its just that we have to be clear what its trying to do today and
what it is NOT trying to do. I think we'll surprise some people (like you) -
but in the long run, the credibility will be there - I *KNOW* the folks who
are involved with OpenID are smart and know what it can and cannot do right
now. We just have to make sure that its being communicated clearly so
expectations aren't raised and then not met...

-Gabe

 -Original Message-
 From: Chris Drake [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, October 04, 2006 9:00 PM
 To: Gabe Wachob
 Cc: 'Kevin Turner'; specs@openid.net
 Subject: Re[4]: [PROPOSAL] authentication age
 
 Hi Gabe,
 
 Beautifully worded, and (IMHO) an extremely valuable real-world
 opinion.  I too believe OpenID is currently a non-starter.  I have
 dual vested interests:  I want OpenID to succeed, *especially* for RPs
 like Visa, since my IdP makes money from supporting OpenID only when
 OpenID ends up getting used.  I also believe that an IdP (and mine in
 particular) is well suited for deploying secure technology (eg: two
 factor tokens).  If, aside from making OpenID actually *work* for the
 likes of Visa, we can build in the ability to provide a tangible
 *benefit* to Visa from using it (that is: allow visa to REQUIRE that a
 user has authenticate via two-factor means, to an accredited - i.e:
 explicitly trusted by Visa - IdP) then we've not only cemented the
 future of OpenID, we've gone an improved a pile of security problems
 along the way.
 
 Kind Regards,
 Chris Drake
 1id.com
 
 Thursday, October 5, 2006, 1:41:34 PM, you wrote:
 
 GW Chris-
 GW   As someone who has recently come from working in the financial
 GW sector (Visa), its clear that OpenID is NOT intended for
 authentication
 GW where the *relying party* cares about how the authentication is
 performed.
 
 GW   At places like Visa and for home banking, this means that OpenID,
 GW without something more, is clearly a . These relying parties want
 GW to know exactly how their users are being authenticated because their
 GW business is all about risk management and creating business
 opportunities
 GW around very good knowledge of the risk profile of each transaction
 type.
 
 GW   That all being said, I believe it should be possible to layer on
 GW OpenID a form of IDP control such that a relying party can require a
 certain
 GW class or group of IDPs be used when presenting authentication
 assertions to
 GW them. The actual *policy* for how these IDPs are approved is probably
 GW orthogonal to the protocol spec, but secure identification of those
 IDPs
 GW (relative to some trust root, etc) could probably be made into an
 extension
 GW usable for those parties who want it.
 
 GW   My guess is that culturally, most people involved in OpenID have
 GW *not* been interested in addressing these concerns. However,
 expectations
 GW need to be better managed around these sort of relying-party cares
 GW scenarios, because its not obvious without actually reading the specs
 GW themselves...
 
 GW   -Gabe
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf
  Of Chris Drake
  Sent: Wednesday, October 04, 2006 8:26 PM
  To: Kevin Turner
  Cc: specs@openid.net
  Subject: Re[2]: [PROPOSAL] authentication age
 
  Hi Kevin,
 
  Sounds like you're leaning towards a root authority for IdPs who can
  audit procedures and verify protection in order to sign the IdP's
  keys?
 
  Joe blogger doesn't care much about identity assertions from an IdP,
  but it's a reasonable bet to expect that a Bank might care...
 
  Kind Regards,
  Chris Drake
 
 
  ___
  specs mailing list