RE: Special Request: Client Certificates vs. OpenID

2007-01-23 Thread McGovern, James F \(HTSC, IT\)
Even if we don't produce a white paper, we should at least produce enough 
insight that others such as industry analysts can provide the white paper 
writing services and blogging is a great way to make this happen. We should 
talk about the following:
 
1. How OpenID can benefit enterprises - enough on the consumerish stuff. 
Besides, success should not be based on just amount of eyeballs but where the 
money is.
2. What would industry vertical approaches look like using user-centric 
approaches - Yes we can be compatible with PKI but how about focusing on the 
instead of scenarios
3. A discussion on who is willing to pay - Stolen from Dick - I am of the 
belief that consumers won't pay and therefore putting into business context is 
the only way to make money. 
4. If businesses are willing to pay, then what do they require and how to they 
beneift - anti-phishing, authorization, relationships, etc
5. How should enterprise architecture teams start thinking about identity - it 
needs to move away from just security folks talking about it in terms of 
protection mechanisms towards something that becomes a business enabler
 
If we blog heavily on identity, relationships, authorization and attestation 
and the analysts need some additional stimulus to publish on it, then I will 
pick up expenses associated with making this happen as long as we do so quickly 
and in a more aggressive manner.

-Original Message-
From: Johannes Ernst [mailto:[EMAIL PROTECTED]
Sent: Monday, January 22, 2007 3:19 PM
To: McGovern, James F (HTSC, IT)
Cc: specs@openid.net
Subject: Re: Special Request: Client Certificates vs. OpenID


So I've been doing some asking around who might be interested in co-authoring 
some kind of white paper on the subject of user-centric identity in/for the 
enterprise. There are some volunteers with a variety of view points -- no 
guarantees that we'll manage to produce something collaboratively (cross-vendor 
white papers tend to be hard) -- and we'll see where that goes. 

That only goes partially to your point, but it is a step.



On Jan 22, 2007, at 9:08, McGovern, James F ((HTSC, IT)) wrote:


Last week I sent a note to the list inquiring whether anyone on this list 
wanted to participate in our industry vertical standards body in hopes of 
ratifying OpenID as an endorsed horizontal specification. In terms of 
preparation, it would be greatly appreciated if Dick Hardt, Johannes Ernst and 
other bloggers could from their blog discuss user-centric identity as a 
potential solution to industry vertical concerns since nothing neutral 
(produced by a vendor and not an insurance carrier) exists in this regard.

Other industry verticals such as Pharmaceutical have embraced PKI approaches 
where they issue client certificates to participants. Many PKI vendors have in 
secret created user certificate management issues, the inability to allow for 
roaming users, sharing of desktops, and other concerns that I am of the belief 
that user-centric approaches could handle. Of course PKI-centric and 
user-centric don't have to be mutually exclusive but it would be wonderful if 
the blog entry reflected how approaches such as SAFE (pharma) would have looked 
in a user-centric world.




*
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information. If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited. If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


RE: [OpenID] Questions about Spoofing OpenId

2007-01-23 Thread David Fuelling
 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
 Behalf Of Carl Howells
 Subject: Re: [OpenID] Questions about Spoofing OpenId
 
 Some care has to be
 taken to make sure that direct cross-linking won't work, but that's not
 too difficult.

What do you mean by direct cross-linking?



___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


RE: 2.0 Spec Questions

2007-01-23 Thread Recordon, David
James, for 3 have you looked at
http://openid.net/specs/openid-assertion-quality-extension-1_0-03.html?
I don't think it addresses the specific point you brought up, though may
be the right place to do it.

--David 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of James McGovern
Sent: Sunday, January 21, 2007 4:49 PM
To: specs@openid.net
Subject: 2.0 Spec Questions
Sensitivity: Confidential

Several questions after reading the 2.0 spec - draft 11.

1. The definition of realm if I am reading it correctly could be
problematic in large enterprises. For example, if one were using a web
access management product, they would have the ability to define a realm
in terms of a listing of discrete hosts that may or may not fit a URL
pattern matching approach.
For example, I could have a demographic called consumers who could
access hosts such as http://myconsumer.example.com ,
http://printstatements.example.com, http://paybills.example.com Likewise
another demographic called Business Partner may have a different set of
hosts they can interact with.

2. In terms of checking the nonce, can we recommend that a deployment
practice should be to use the NTP protocol and point to clocks of a
certain stratum? Likewise, would it be a good idea if an association
could indicate how much skew it would accept before rejecting?

3. In terms of an extension, should an OP be able to indicate when
reauth may be required so the user doesn't assume that if they
authenticate once they are always good?

4. Some portions of the spec are heavily coupled to PKI. How should
growing users of IBE think of this?


___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: OpenID Auth 2.0 security considerations

2007-01-23 Thread Johannes Ernst
Me too ;-)

There are tradeoffs, no question -- and I used the verb suggest to  
indicate only a weak preference, on balance.

On Jan 23, 2007, at 14:19, Hallam-Baker, Phillip wrote:

 I get really worried whenever I see such statements. They tend to  
 be the sign of a long drawn out specification effort rather than a  
 short one.

 If you want to change the Internet you have a lot of gatekeepers to  
 convince. Deciding that you don't have time to do that is usually a  
 mistake.

 The key is to understand which parties are really gatekeepers and  
 which are not. Two gatekeepers that must be convinced here are the  
 security cabal and the open source community.

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Johannes Ernst
 Sent: Tuesday, January 23, 2007 3:57 PM
 To: Recordon, David
 Cc: specs@openid.net
 Subject: Re: OpenID Auth 2.0 security considerations

 Given where we are in time, I would suggest to make the
 smallest amount of changes possible to the document, i.e.
 leave everything as is, just add this one link.


 On Jan 23, 2007, at 11:59, Recordon, David wrote:

 I don't see a problem with that.

 Would you propose the majority of the security
 considerations section
 in the current draft be moved to the wiki?  What would be
 the balance
 between spec and wiki page?

 --David

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
 Behalf Of Johannes Ernst
 Sent: Monday, January 22, 2007 12:15 PM
 To: specs@openid.net
 Subject: OpenID Auth 2.0 security considerations

 What about a non-normative link from the spec to a place on
 the wiki
 where we can collect security considerations for it, and
 update those
 in real-time as discussions such as the phishing one progress.



 ___
 specs mailing list
 specs@openid.net
 http://openid.net/mailman/listinfo/specs

 ___
 specs mailing list
 specs@openid.net
 http://openid.net/mailman/listinfo/specs


___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: [OpenID] Announcing OpenID Authentication 2.0 - Implementor'sDraft 11

2007-01-23 Thread James A. Donald
 --
James A. Donald
   nor is PKI useful in solving phishing.
  
   PKI is a solution that has been tried and has
   failed. It has become an obstacle, as commercial
   interests actively block alternatives that do not
   involve a small number of centralized authorities
   with a special privilege that enables them to
   intrude between client and server and charge the
   server.

Hallam-Baker, Phillip wrote:
  On the contrary, PKI is the basis of the security
  infrastructure that so far has provided the greatest
  defense against Internet crime - SSL.

Most of the time that I login, or pay by credit card, or
some such, I am bounced to some weird URL that has no
easily provable connection to business I am trying to
interact with, which means that PKI is in practice
merely an exorbitantly slow and inefficient
Diffie-Hellman key-exchange.

 --digsig
  James A. Donald
  6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
  ERRvvxIr3Rz1ZnlX/LG8m/wkPWR/RhhqcWfDRyI1
  403xuw3aJ0JGZbaY+1qh/4rydpyimpbcM8a2SNF9D
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: [OpenID] Announcing OpenID Authentication 2.0 - Implementor'sDraft 11

2007-01-23 Thread James A. Donald
 --
Ka-Ping Yee [mailto:[EMAIL PROTECTED]
  In practice SSL is primarily used to establish an
  encrypted channel between endpoints, not to establish
  reliable reciprocal identification. Given that almost
  no users pay any attention to certificates, what
  reason do we have to believe that SSL succeeds
  because of PKI, rather than in spite of it?

Hallam-Baker, Phillip
  SSL achieves the original security goals set for it.

Which were defined to fit what PKI does, not what the
user needs.

The user needs proof of relationship, not proof of true
name.

 --digsig
  James A. Donald
  6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
  qVkusWoDPirkBhjZe5MXwUDyBHO4LxZCWStLyKpA
  4JVAsnPJ0MmTZsUwSsCOYR37FKrlG3DPXGBozt+Kh
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs