[Opensim-dev] OpenID

Ryan McDougall sempuki1 at gmail.com
Fri Mar 27 13:19:34 UTC 2009 

The problem with OpenID is not OpenID, it's people who don't
understand what OpenID really does.

OpenID is a protocol for federated (distributed) identity. Nothing
more, nothing less. It makes no claims about security -- it *cannot*.
If you are expecting OpenID to be a magic box for that answers all
your authentication needs, you aren't reading very carefully.

All OpenID says to you is "server foo.example.com come asserts this
connection is joe.example.com". The meaning of that phrase is not, nor
could ever, be defined by the protocol itself. It's up to *you* to
decide what that statement means.

Once you consider that a primary design goal was to not rely on a
single trusted entity, you'll notice that the protocol is entirely
orthogonal to trust. Trust is an extra ingredient you have to add on
an site-by-site, or application-by-application basis.

What you *can* however notice is that OpenID provides the *means* for
establishing a network of trust using white lists. However it is *way*
beyond the scope of the protocol to go as far as to tell the Internet
at large *who* should be written down on those white lists.

The mistake OpenID made was giving engineers too much credit for
discovering this implication by itself. It should have been released
with explicit disclaimer about phishing, and formalized some sort of
notion of trust networks to keep the outrage at bay.

Bottom line IMO: learn OpenID, use OpenID, build a *Trust Network* on
OpenID that is site configurable by grid administrators -- like HG
links are now.

Cheers,

On Wed, Mar 4, 2009 at 2:43 AM, Diva Canto <diva at metaverseink.com> wrote:
> Sean Dague wrote:
>> I guess the question is whether or not this is better or worse than
>> requiring new user account registration for systems, which inevitably is
>> people typing in the same passwords as they've used elsewhere.
>>
> I can't say I have the answer to that question, although I have a hunch
> about it. All I can say is that it is extremely irresponsible on the
> part of these corporations to deploy this scheme out there without
> finding the answer to that question, given all the literature pointing
> to how oblivious people are wrt security in practice.
>
>> Those are general statements on the tech.  How it fits in the opensim
>> space, I'll leave to others, because it may not be appropriate.  But
>> make sure that if you are going to hold up openid to such a high
>> standard of social engineering, that you hold other methods to that as we=
>> ll.
>>
> Let's put it this way: if I had the low standards and ethics that the
> people who wrote the OpenID spec have I would say that the Hypergrid is
> 1.0 and that the security problems "can be prevented in multiple ways"
> and "are outside the scope of this document." Then I would charge
> $5000/day to do consulting work with
> the people who want to use the Hypergrid for added convenience, without
> ever mentioning the security problems that it currently has. [That seems
> to be the game with OpenID, as far as all I can tell; to the credit of
> OAuth, in comparison, they, at least, acknowledge the phishing problem
> explicitly]
>
> I really don't know if we can secure the Hypergrid the right way (well,
> I think we can, but it will take some work including client-side :-),
> but I do know that anything that is based on random components asking
> people for their passwords is out of the question, at least for any
> security schemes I will be involved with.
>
> Having said that, it's clear to me that, should we use the OpenID
> protocol as a basis for Hypergrid identity, it doesn't necessarily need
> to be used in the irresponsible manner it is being used on the Web. As I
> said, the mechanism is fine. And there is something of value to having
> OpenID and OAuth together. My main technical issue is the existence of
> multiple calls and the complexity of the solution in terms of the code,
> because of model mismatch.
>
> I haven't finished my study on this yet. I have been distracted
> (distraught?) by what I'm seeing of OpenID out there on Webland...
>
> Crista
>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
>

More information about the Opensim-dev mailing list