RE: Special Request: Client Certificates vs. OpenID
Even if we don't produce a white paper, we should at least produce enough insight that others such as industry analysts can provide the white paper writing services and blogging is a great way to make this happen. We should talk about the following: 1. How OpenID can benefit enterprises - enough on the consumerish stuff. Besides, success should not be based on just amount of eyeballs but where the money is. 2. What would industry vertical approaches look like using user-centric approaches - Yes we can be compatible with PKI but how about focusing on the instead of scenarios 3. A discussion on who is willing to pay - Stolen from Dick - I am of the belief that consumers won't pay and therefore putting into business context is the only way to make money. 4. If businesses are willing to pay, then what do they require and how to they beneift - anti-phishing, authorization, relationships, etc 5. How should enterprise architecture teams start thinking about identity - it needs to move away from just security folks talking about it in terms of protection mechanisms towards something that becomes a business enabler If we blog heavily on identity, relationships, authorization and attestation and the analysts need some additional stimulus to publish on it, then I will pick up expenses associated with making this happen as long as we do so quickly and in a more aggressive manner. -Original Message- From: Johannes Ernst [mailto:[EMAIL PROTECTED] Sent: Monday, January 22, 2007 3:19 PM To: McGovern, James F (HTSC, IT) Cc: specs@openid.net Subject: Re: Special Request: Client Certificates vs. OpenID So I've been doing some asking around who might be interested in co-authoring some kind of white paper on the subject of user-centric identity in/for the enterprise. There are some volunteers with a variety of view points -- no guarantees that we'll manage to produce something collaboratively (cross-vendor white papers tend to be hard) -- and we'll see where that goes. That only goes partially to your point, but it is a step. On Jan 22, 2007, at 9:08, McGovern, James F ((HTSC, IT)) wrote: Last week I sent a note to the list inquiring whether anyone on this list wanted to participate in our industry vertical standards body in hopes of ratifying OpenID as an endorsed horizontal specification. In terms of preparation, it would be greatly appreciated if Dick Hardt, Johannes Ernst and other bloggers could from their blog discuss user-centric identity as a potential solution to industry vertical concerns since nothing neutral (produced by a vendor and not an insurance carrier) exists in this regard. Other industry verticals such as Pharmaceutical have embraced PKI approaches where they issue client certificates to participants. Many PKI vendors have in secret created user certificate management issues, the inability to allow for roaming users, sharing of desktops, and other concerns that I am of the belief that user-centric approaches could handle. Of course PKI-centric and user-centric don't have to be mutually exclusive but it would be wonderful if the blog entry reflected how approaches such as SAFE (pharma) would have looked in a user-centric world. * This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. * ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
RE: [OpenID] Questions about Spoofing OpenId
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carl Howells Subject: Re: [OpenID] Questions about Spoofing OpenId Some care has to be taken to make sure that direct cross-linking won't work, but that's not too difficult. What do you mean by direct cross-linking? ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
RE: 2.0 Spec Questions
James, for 3 have you looked at http://openid.net/specs/openid-assertion-quality-extension-1_0-03.html? I don't think it addresses the specific point you brought up, though may be the right place to do it. --David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James McGovern Sent: Sunday, January 21, 2007 4:49 PM To: specs@openid.net Subject: 2.0 Spec Questions Sensitivity: Confidential Several questions after reading the 2.0 spec - draft 11. 1. The definition of realm if I am reading it correctly could be problematic in large enterprises. For example, if one were using a web access management product, they would have the ability to define a realm in terms of a listing of discrete hosts that may or may not fit a URL pattern matching approach. For example, I could have a demographic called consumers who could access hosts such as http://myconsumer.example.com , http://printstatements.example.com, http://paybills.example.com Likewise another demographic called Business Partner may have a different set of hosts they can interact with. 2. In terms of checking the nonce, can we recommend that a deployment practice should be to use the NTP protocol and point to clocks of a certain stratum? Likewise, would it be a good idea if an association could indicate how much skew it would accept before rejecting? 3. In terms of an extension, should an OP be able to indicate when reauth may be required so the user doesn't assume that if they authenticate once they are always good? 4. Some portions of the spec are heavily coupled to PKI. How should growing users of IBE think of this? ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: OpenID Auth 2.0 security considerations
Me too ;-) There are tradeoffs, no question -- and I used the verb suggest to indicate only a weak preference, on balance. On Jan 23, 2007, at 14:19, Hallam-Baker, Phillip wrote: I get really worried whenever I see such statements. They tend to be the sign of a long drawn out specification effort rather than a short one. If you want to change the Internet you have a lot of gatekeepers to convince. Deciding that you don't have time to do that is usually a mistake. The key is to understand which parties are really gatekeepers and which are not. Two gatekeepers that must be convinced here are the security cabal and the open source community. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Johannes Ernst Sent: Tuesday, January 23, 2007 3:57 PM To: Recordon, David Cc: specs@openid.net Subject: Re: OpenID Auth 2.0 security considerations Given where we are in time, I would suggest to make the smallest amount of changes possible to the document, i.e. leave everything as is, just add this one link. On Jan 23, 2007, at 11:59, Recordon, David wrote: I don't see a problem with that. Would you propose the majority of the security considerations section in the current draft be moved to the wiki? What would be the balance between spec and wiki page? --David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Johannes Ernst Sent: Monday, January 22, 2007 12:15 PM To: specs@openid.net Subject: OpenID Auth 2.0 security considerations What about a non-normative link from the spec to a place on the wiki where we can collect security considerations for it, and update those in real-time as discussions such as the phishing one progress. ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: [OpenID] Announcing OpenID Authentication 2.0 - Implementor'sDraft 11
-- James A. Donald nor is PKI useful in solving phishing. PKI is a solution that has been tried and has failed. It has become an obstacle, as commercial interests actively block alternatives that do not involve a small number of centralized authorities with a special privilege that enables them to intrude between client and server and charge the server. Hallam-Baker, Phillip wrote: On the contrary, PKI is the basis of the security infrastructure that so far has provided the greatest defense against Internet crime - SSL. Most of the time that I login, or pay by credit card, or some such, I am bounced to some weird URL that has no easily provable connection to business I am trying to interact with, which means that PKI is in practice merely an exorbitantly slow and inefficient Diffie-Hellman key-exchange. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG ERRvvxIr3Rz1ZnlX/LG8m/wkPWR/RhhqcWfDRyI1 403xuw3aJ0JGZbaY+1qh/4rydpyimpbcM8a2SNF9D ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: [OpenID] Announcing OpenID Authentication 2.0 - Implementor'sDraft 11
-- Ka-Ping Yee [mailto:[EMAIL PROTECTED] In practice SSL is primarily used to establish an encrypted channel between endpoints, not to establish reliable reciprocal identification. Given that almost no users pay any attention to certificates, what reason do we have to believe that SSL succeeds because of PKI, rather than in spite of it? Hallam-Baker, Phillip SSL achieves the original security goals set for it. Which were defined to fit what PKI does, not what the user needs. The user needs proof of relationship, not proof of true name. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG qVkusWoDPirkBhjZe5MXwUDyBHO4LxZCWStLyKpA 4JVAsnPJ0MmTZsUwSsCOYR37FKrlG3DPXGBozt+Kh ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs