_______________________________________________ general mailing list general <at> lists.openid.net http://lists.openid.net/mailman/listinfo/openid-general
_______________________________________________ general mailing list general <at> lists.openid.net http://lists.openid.net/mailman/listinfo/openid-general
_______________________________________________ general mailing list general <at> lists.openid.net http://lists.openid.net/mailman/listinfo/openid-general
_______________________________________________ general mailing list general <at> lists.openid.net http://lists.openid.net/mailman/listinfo/openid-general
_______________________________________________ general mailing list general <at> lists.openid.net http://lists.openid.net/mailman/listinfo/openid-general
| Regards | |
| Signer: | Eddy Nigg, COO/CTO |
| StartCom Ltd. | |
| XMPP: | startcom <at> startcom.org |
| Blog: | Join the Revolution! |
| Twitter: | Follow Me |
_______________________________________________ general mailing list general <at> lists.openid.net http://lists.openid.net/mailman/listinfo/openid-general
| Regards | |
| Signer: | Eddy Nigg, COO/CTO |
| StartCom Ltd. | |
| XMPP: | startcom <at> startcom.org |
| Blog: | Join the Revolution! |
| Twitter: | Follow Me |
_______________________________________________ general mailing list general <at> lists.openid.net http://lists.openid.net/mailman/listinfo/openid-general
On the other hand, if things are just "right timed" (and client certs get a second chance), then so be it.
Interesting times. I smell change, Eddy.
| Regards | |
| Signer: | Eddy Nigg, COO/CTO |
| StartCom Ltd. | |
| XMPP: | startcom <at> startcom.org |
| Blog: | Join the Revolution! |
| Twitter: | Follow Me |
_______________________________________________ general mailing list general <at> lists.openid.net http://lists.openid.net/mailman/listinfo/openid-general
From: Eddy Nigg (StartCom Ltd.) <eddy_nigg <at> startcom.org>
To: 'openid-general' <openid-general <at> lists.openid.net>
Sent: Saturday, February 11, 2012 9:14 AM
Subject: Re: [OpenID] OpenID Providers Invited to Join in an NSTIC Pilot Proposal
On 02/11/2012 01:58 AM, From Francisco Corella:FYI:
http://pomcor.com/2012/02/10/openid-providers-invited-to-join-in-an-nstic-pilot-proposal/
Without offending, but what's the news? StartCom (and maybe some others) do this already for years: https://www.startssl.com/?app=14
A pilot for something that works in production already for years? Or am I missing something?
Regards Signer: Eddy Nigg, COO/CTO StartCom Ltd. XMPP: startcom <at> startcom.org Blog: Join the Revolution! Twitter: Follow Me
_______________________________________________
general mailing list
general <at> lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
_______________________________________________ general mailing list general <at> lists.openid.net http://lists.openid.net/mailman/listinfo/openid-general
From: Eddy Nigg (StartCom Ltd.) <eddy_nigg <at> startcom.org>
To: 'openid-general' <openid-general <at> lists.openid.net>
Sent: Saturday, February 11, 2012 9:14 AM
Subject: Re: [OpenID] OpenID Providers Invited to Join in an NSTIC Pilot Proposal
On 02/11/2012 01:58 AM, From Francisco Corella:FYI:
http://pomcor.com/2012/02/10/openid-providers-invited-to-join-in-an-nstic-pilot-proposal/
Without offending, but what's the news? StartCom (and maybe some others) do this already for years: https://www.startssl.com/?app=14
A pilot for something that works in production already for years? Or am I missing something?
Regards Signer: Eddy Nigg, COO/CTO StartCom Ltd. XMPP: startcom <at> startcom.org Blog: Join the Revolution! Twitter: Follow Me
_______________________________________________
general mailing list
general <at> lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
_______________________________________________ general mailing list general <at> lists.openid.net http://lists.openid.net/mailman/listinfo/openid-general
One thing that's new in our pilot proposal is the use of keygen for
automatic issuance of certificates. I now know that you do issue
certificates automatically, I tried it out yesterday.
But you don't use keygen, do you?
I suppose you use JavaScript to generate the keypair and to import the certificate?
| Regards | |
| Signer: | Eddy Nigg, COO/CTO |
| StartCom Ltd. | |
| XMPP: | startcom <at> startcom.org |
| Blog: | Join the Revolution! |
| Twitter: | Follow Me |
_______________________________________________ general mailing list general <at> lists.openid.net http://lists.openid.net/mailman/listinfo/openid-general
From: Eddy Nigg (StartCom Ltd.) <eddy_nigg <at> startcom.org>
To: "openid-general <at> lists.openid.net >> 'openid-general'" <openid-general <at> lists.openid.net>
Sent: Sunday, February 12, 2012 3:49 PM
Subject: Re: [OpenID] OpenID Providers Invited to Join in an NSTIC Pilot Proposal
Hi Francisco,
On 02/13/2012 12:03 AM, From Francisco Corella:One thing that's new in our pilot proposal is the use of keygen for
automatic issuance of certificates. I now know that you do issue
certificates automatically, I tried it out yesterday.
Welcome!But you don't use keygen, do you?
It depends on the browser. Keygen is used everywhere except Internet Explorer where we deploy currently VBscript for the enrollment. And unfortunately Google Chrome doesn't support client certificate enrollment except in a limited form on Linux.I suppose you use JavaScript to generate the keypair and to import the certificate?
No, never - the keypair is always generated by the browser. See https://www.startssl.com/?app=25#51
Regards Signer: Eddy Nigg, COO/CTO StartCom Ltd. XMPP: startcom <at> startcom.org Blog: Join the Revolution! Twitter: Follow Me
_______________________________________________
general mailing list
general <at> lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
_______________________________________________ general mailing list general <at> lists.openid.net http://lists.openid.net/mailman/listinfo/openid-general
One thing that terrifies me (about NSTIC) is that its going to be an agenda-fest - for 1000 different agendas. Some of them are very technical. Some folks want a world in which this or that technology is used (being all about the web). Folks dont seem to realize that NSTIC is not limited to the web (or is about web browsers). Some people want to get on an lets kill microsoft bent (becuase they may feel NSTIC is all about open source software manufacturing business models). Other people, may want to pursue this or that standard (e.g. HTML5). Some of them are going to be non-technical (how do folks pursue a mindshare agenda, or a cyberwar positioning, or an anti-Chinese, pro-Indian state dept policy, on this or that or the other). Some folks will also be gtrying to move us beyond the models that failed (PKI, etc); others will be wanting to object to the term "failure" associated with the label PKI. Some smartcard firms may feel the whole play is about FIPS 201. Other may feel that only the "model" of openid being pursuded in the various committees of this group are relevant (and what wordpress or b log spot do when "blog commenting" is no longer "valid"). Some folks are trying to solve the evil-CA problem (how can be ensure that some CA sells it root key, and now abyone can guy a cert for $20 based on domain-name check); which pollutes the quality of interaction with OpeniD providers (which leverage https, for secure discovery). Obviously, for funds at $10m, little or none of the above is going to get settled. So what can the funds do (without starting 1000 religious wars)? its pretty clear from the criteria that the funds are there for folks who are "in the mindset" of the program (and not merely wanting the program to be picking their particular 1 agenda - to be the right one of the 1000 religious agendas to be fought). I read Dons missive carefully. And, its clear that openid foundation does have a common mindshare with NSTIC (having been mentored, for the last 2 years...). Presumably, the larger foundation members also share that common mindshare, to at least a minimum degree. The program that could be "endorsed" by the foundation have to be pursuing the future-looking work on the foundation (and not merely deploying with some widget advantage the openid we all saw written up 3 years ago). ive seen so far only 1 project so far that (were I the funding authority) Id classify as "being in the mindset" of the program (and portentially eligble for some funds). It was actually in a particular subgroup of the webid project, that not only hooked up SSL and client certs along with openid transactions, but did something rather more (than merely that). It attempted to show that another latent infrastrcuture (the linked data version of the web) is "not far off" playing the role that the X.500 played for DoD and NATO backroom infrastructure, 20 years ago. If I put this together, the world of https, modern openid, forward looking openid with RP popups and privacy-policy management for attributes enable me to "envision" there being a "national infrastructure" - similar to the north americ an numbering plan, the USPS + CanadaaPost + Mexican Post, the GPS, or wireless specturm management folks, the highway engineering standards board, ... nbut, I think we havre to look at this as a "what is the national infrastructure" - not how do we do it, competing away on some agenda or other. of course, someone will say that I just defined a particular agenda. But, such is the life of a funding officer on the policy/technology boundary. Any one persons "useful" boundary is someone else's nemesis. If we think like the poor funding officer in the program office, perhaps it will help. What character of proposal make it possible for him/her to make a decision (and one that lots of folks can applaud, even if you are not the recipient of some funds yourself). i think this is what is necessary, on this particular funding plan. It has to speak above and beyond the tech-wars (and Don made this point nicely, in his missive). It has to be painting a tone poem that expresses its idea, and *not* executing it - beyond a proof of concept stage.
OK, that says you use keygen to generate a key pair in Firefox (an
ActiveX control in IE). But you still have to use JavaScript to
import the certificate into the browser. AFAIK that's the only way
you can automatically import a certificate into the browser with
current technology. In Firefox you must be using
crypto.importUserCertificates(), is that right?
| Regards | |
| Signer: | Eddy Nigg, COO/CTO |
| StartCom Ltd. | |
| XMPP: | startcom <at> startcom.org |
| Blog: | Join the Revolution! |
| Twitter: | Follow Me |
_______________________________________________ general mailing list general <at> lists.openid.net http://lists.openid.net/mailman/listinfo/openid-general
From: Eddy Nigg (StartCom Ltd.) <eddy_nigg <at> startcom.org>
To: Francisco Corella <fcorella <at> pomcor.com>
Cc: "openid-general <at> lists.openid.net >> 'openid-general'" <openid-general <at> lists.openid.net>; Karen Lewison <kplewison <at> pomcor.com>
Sent: Monday, February 13, 2012 5:46 PM
Subject: Re: [OpenID] OpenID Providers Invited to Join in an NSTIC Pilot Proposal
On 02/13/2012 07:43 PM, From Francisco Corella:OK, that says you use keygen to generate a key pair in Firefox (an
ActiveX control in IE). But you still have to use JavaScript to
import the certificate into the browser. AFAIK that's the only way
you can automatically import a certificate into the browser with
current technology. In Firefox you must be using
crypto.importUserCertificates(), is that right?
No, that's wrong, we simply push the certificate to the browser in the correct format and headers. Browsers like Firefox know what to do with it in case it finds a valid key pair.
Regards Signer: Eddy Nigg, COO/CTO StartCom Ltd. XMPP: startcom <at> startcom.org Blog: Join the Revolution! Twitter: Follow Me
_______________________________________________ general mailing list general <at> lists.openid.net http://lists.openid.net/mailman/listinfo/openid-general
I guess you mean that if the relying party downloads a certificate in
the body of an HTTP response with a content-type header whose value is
a MIME type indicating that the body contains a certificate, and if
Firefox "finds a valid key pair" then Firefox will import the
certificate automatically. Did I guess right?
Well, depending on the details, that could be a security hole. If the
valid key pair that Firefox finds consists of the publick key in an
existing certificate and the associated private key, Firefox could end
up replacing the existing certificate with one downloaded by an
attacker that binds the public key to the attacker's identity.
| Regards | |
| Signer: | Eddy Nigg, COO/CTO |
| StartCom Ltd. | |
| XMPP: | startcom <at> startcom.org |
| Blog: | Join the Revolution! |
| Twitter: | Follow Me |
_______________________________________________ general mailing list general <at> lists.openid.net http://lists.openid.net/mailman/listinfo/openid-general
_______________________________________________
On 02/14/2012 06:46 AM, From Francisco Corella:I guess you mean that if the relying party downloads a certificate in
the body of an HTTP response with a content-type header whose value is
a MIME type indicating that the body contains a certificate, and if
Firefox "finds a valid key pair" then Firefox will import the
certificate automatically. Did I guess right?
Yes.Well, depending on the details, that could be a security hole. If the
valid key pair that Firefox finds consists of the publick key in an
existing certificate and the associated private key, Firefox could end
up replacing the existing certificate with one downloaded by an
attacker that binds the public key to the attacker's identity.
No, if an attacker could do that it'd be too late anyway, then he probably could impersonate the entire internet. "Finding" a public key that would match a private key is kind of impossible (with sufficient key size). But I'm not sure if this is the right forum for such crypto stuff.
Regards Signer: Eddy Nigg, COO/CTO StartCom Ltd. XMPP: startcom <at> startcom.org Blog: Join the Revolution! Twitter: Follow Me
general mailing list
general <at> lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
_______________________________________________ general mailing list general <at> lists.openid.net http://lists.openid.net/mailman/listinfo/openid-general
Well that was interesting. The shibolleth folks managed to setup a somewhat false distinction, 2+ years ago, with the help of several UK academics, to establish that the "protocol" of openid (v1 or v2) was inherently limited to LOA1 - by design nature. One sees this division BUILT IN to the ETSI work on nationa-id cards for future-telco, very clearly. Becuase SAML2 CAN be used with PKI, it was able "uniquely" to claim a space of being LOA2+ capable. NOw we learn that "openid connect" is not openid-2 (with bells and whistles). its an LOA2-capable definition, per se. Not knowing what openid connect is, I cannot really comment... In our space, we are still considering whether to turn on openid as-is (via the Microsoft STS bridge for websso protocols). openid as conceived is almost viable (now), to boostrap a professional agency/representation relationship. This move-up to LOA2 is going to restart a SAML2 war, since openid is not staying in its place (supporting blogging comments, and logon to a billion sites that "dont matter" - a phrase that is (c) UK academia). of course the distinction was false all along, but such are government programs - full of falseness and pretense and day-by-day political hashes. Its hard talking 2 storys out of your mouth at the same time - but thats what governing (and pre-competitive funding) is often all about. Perhaps folks here should all disclosure their "review" and 'influence" roles in the NSTIC program. John is quite open and fair and fully disclosed (if with a 6 month delay, so some proper use of FOUO can create effective working conditions for program management). Im not sure about others.
Peter, The thing that stopped openID 2.0 from being SP-800-63 LoA2 was the lack of protection of assertions from the Identity provider to the RP (No encryption or TLS protected direct communication) The thing that also stops it from being LoA 3 is a lack of asymmetric signatures for non repudiation. Support for PKI as the primary authenticator is the same for both openID 2 and SAML 2, and not one of the considerations. OpenID Connect http://openid.net/connect/ which is currently being voted on by the membership as an implementers draft addresses both issues. One might reasonably expect that once openID Connect is an approved specification FICAM will produce a profile of it, perhaps upto LaA 3 non Crypto or LoA 4 with Holder of key. There is also a openID Connect interop currently taking place amongst a number of the open source implementations http://osis.idcommons.net/wiki/OC3_OpenID_Connect_Interop_3. Foundation Members should read the proposed spec and vote for or against it as an implementers draft. The reason for the implementers draft is that it locks in the IPR contributions of all the contributors (Google, MS, Facebook, and Me etc). It also allows people to work on implementations without the spec changing weekly. There will likely still be some changes from the implementers draft to the final version based on testing feedback. We have been working on the specification in the openid-ab WG for several hers now so this should not be a big sup prise to anyone. Regards John B. On 2012-02-14, at 2:09 PM, Peter Williams wrote: > > Well that was interesting. > > > > The shibolleth folks managed to setup a somewhat false distinction, 2+ years ago, with the help of several UK academics, to establish that the "protocol" of openid (v1 or v2) was inherently limited to LOA1 - by design nature. One sees this division BUILT IN to the ETSI work on nationa-id cards for future-telco, very clearly. Becuase SAML2 CAN be used with PKI, it was able "uniquely" to claim a space of being LOA2+ capable. > > > > NOw we learn that "openid connect" is not openid-2 (with bells and whistles). its an LOA2-capable definition, per se. Not knowing what openid connect is, I cannot really comment... In our space, we are still considering whether to turn on openid as-is (via the Microsoft STS bridge for websso protocols). openid as conceived is almost viable (now), to boostrap a professional agency/representation relationship. > > > > This move-up to LOA2 is going to restart a SAML2 war, since openid is not staying in its place (supporting blogging comments, and logon to a billion sites that "dont matter" - a phrase that is (c) UK academia). > > > > of course the distinction was false all along, but such are government programs - full of falseness and pretense and day-by-day political hashes. Its hard talking 2 storys out of your mouth at the same time - but thats what governing (and pre-competitive funding) is often all about. > > > > Perhaps folks here should all disclosure their "review" and 'influence" roles in the NSTIC program. John is quite open and fair and fully disclosed (if with a 6 month delay, so some proper use of FOUO can create effective working conditions for program management). Im not sure about others. > > > > > > > > > > > > > _______________________________________________ > general mailing list > general <at> lists.openid.net > http://lists.openid.net/mailman/listinfo/openid-general
_______________________________________________ general mailing list general <at> lists.openid.net http://lists.openid.net/mailman/listinfo/openid-general
what is news to me is that the foundation took upon itself to break free of the somewhat-specious buckets - that openid (the approach) was inherently unassurable (and thus LOA1).A lot of political energy went into characterizing openid - the brand - as only for "that which doesnt matter". Remember, consumers dont think in terms of formal technical definitions, or NIST criteria. They think in terms of rough classes of assurance. 1 There is me when being a pill on a blogging site, ranting on a topic I know nothing about after a beer (wishing I hadnt, the next day). There may even be me writing a blog, on something half adult. There is also me payign subscription using a credit card to 100 media outlets. 2 there is me doing paperwork when I get a job and do tax deductions (that hurt my pay cheque), or pay the road tax, or get a smog certificate for a vehicle; or licensing my shotgun for use in my extensive backyard. 3 there is me signing and certifying my annual tax form (under penalty of perjury), or registering a baby for a passport; or seeking government benefits (based on elgibility) 4 And there is me playing james bond, with instant, tamperpoof satellite communciations, all used to save the planet just in the nick of time. The last one has yet to happen for me (and probably wont). The other three are 80:15:5 percent of my arrangements. that openid intends - as a brand - to address the 2nd and 3rd categories is what is news (to me) - but remember Im not a foundation member. That there are bits and bytes of "more evolved" security protocols in the works was not (having seen all the same stuff done several times with different bit formats, over the years). if it helps, I can tell a story that may align with what the foundation has been doing. It may even mean the story is "resonating" (generally). lets week a really good engineer came to be and said: look, we cannot stand any more the fact that the web site farm talks to the web services (and the database) [farms] using trusted accounts. We want the user identity to drive what the (data center) web services does, and limit its access in the backroom. Its just too risky. I nearly fell of my seat, at hearing this (having said what we HERE all know is "proper" for years). Previously, the de facto and loud response was: its just not "important" (or economic). Go away, and talk to academics about stuff 15 years down the road.
Peter, While the social web use case continues to be important to the Foundation and it's members, that is not the only use case that needs to be addressed. Before NSTIC came about it was clear to many people that having multiple protocols and identity providers servicing smaller niches is not an ideal situation. In our redesign of openID we embrace both the important Authorization role of OAuth 2.0 has on the web as well as allowing for a a number of formal security profiles. This in principal will allow an account at an IdP to be used in applications from social gaming to tax filing. That is if the IdP chooses to support the more advanced profiles with signing and encryption for privacy. Users getting more value from accounts will be more interested in securing them with better primary authenticators like smart cards or more likely mobile device secondary factors. So the message is that OpenID Connect, and Connect providers are not just for low value transactions any more. There are things like trust frameworks for Identity and Attributes that need to be put into place. I am no stranger to the R&E community. There are people looking at how openID Connect can be added to products like SimpleSAMLphp and others to better integrate with GRID and cloud environments. I don't think SAML is going to be displaced any time soon (yes as a SAML contributed I play both sides) However it is not currently growing into the Social Web and NSTIC space. That is mostly due to vender incompetence in my opinion. There will certainly be additional plots and intrigue for you to uncover as this plays out:) What is safe to say, is that openID is not rolling over and giving up the fight any time soon. Regards John B. On 2012-02-14, at 2:55 PM, Peter Williams wrote: > > what is news to me is that the foundation took upon itself to break free of the somewhat-specious buckets - that openid (the approach) was inherently unassurable (and thus LOA1).A lot of political energy went into characterizing openid - the brand - as only for "that which doesnt matter". > > > > Remember, consumers dont think in terms of formal technical definitions, or NIST criteria. They think in terms of rough classes of assurance. > > > > 1 There is me when being a pill on a blogging site, ranting on a topic I know nothing about after a beer (wishing I hadnt, the next day). There may even be me writing a blog, on something half adult. There is also me payign subscription using a credit card to 100 media outlets. > > > > 2 there is me doing paperwork when I get a job and do tax deductions (that hurt my pay cheque), or pay the road tax, or get a smog certificate for a vehicle; or licensing my shotgun for use in my extensive backyard. > > > > 3 there is me signing and certifying my annual tax form (under penalty of perjury), or registering a baby for a passport; or seeking government benefits (based on elgibility) > > > > 4 And there is me playing james bond, with instant, tamperpoof satellite communciations, all used to save the planet just in the nick of time. > > > > The last one has yet to happen for me (and probably wont). The other three are 80:15:5 percent of my arrangements. > > > > that openid intends - as a brand - to address the 2nd and 3rd categories is what is news (to me) - but remember Im not a foundation member. That there are bits and bytes of "more evolved" security protocols in the works was not (having seen all the same stuff done several times with different bit formats, over the years). > > > > if it helps, I can tell a story that may align with what the foundation has been doing. It may even mean the story is "resonating" (generally). > > > > lets week a really good engineer came to be and said: look, we cannot stand any more the fact that the web site farm talks to the web services (and the database) [farms] using trusted accounts. We want the user identity to drive what the (data center) web services does, and limit its access in the backroom. Its just too risky. > > > > I nearly fell of my seat, at hearing this (having said what we HERE all know is "proper" for years). Previously, the de facto and loud response was: its just not "important" (or economic). Go away, and talk to academics about stuff 15 years down the road. > > > > > > > > > > > >
_______________________________________________ general mailing list general <at> lists.openid.net http://lists.openid.net/mailman/listinfo/openid-general
I have not followed openid for a couple of years. Shame on me. I have played with the Microsoft openid-websso bridge though (seeing something good, for us, even today). I for one really need to understand what has strategically changed (with openid-connect). In those years, however, things have changed somewhat even in realty - and adoption community. Remember, realty is a bell-weather adoption community; being SO mainstream (and cutting across all three bottom 3 LOA levels). There is a time when you are an online person, using the web as a communication and professional-evaluation medium, if not shopping and or seeking raw information. There is a time when you are risk most of your net worth (and lots of folks got that wrong, recently). There is a time when you are interacting formally with land registries and other formal and regulated processes (regulated "title" insurers, and city tax issues, liens, notes and trust-instruments). Not that the average consumer sees it, their professionals also have business=centric identity issues - being a simple competitor in marketing services, being a agent in a legally-defined representation agency capacity, and even being a party with certs that uses signature to induces federal authoriti es to do their thing (the HUD statement). Though that is all the formal process, into which openid might fit, there is also a much larger informal set of assurance controls that are just not technology-related, underpinning the realty world. Without insurance firm ratings, insurers are worthless (think AIG). Without insurance, the titles are not worth having. Without assured titles, you cannot get a mortgage. Without fixing the house leaks up to Fanne-Mae lending standards, no one else will lend (because the note is now not transferable, in the secondary market that funds the trillion dollar mortgage space). etc etc. Its a big "public" assurance space, that is - with many moving part - some technology driven, but most are not. But, mostly, its pretty ordinary folk who run the business, acting for pretty ordinary folks who COULD do everything themselves (if they want). 10 folks do, of course, using their craigslist account. THe problem with adopting ANY technology is that they all tend to be out of date in 3 years. Huge companies on tech-missions also tend to come (and quickly go). Google came and went, in the last 5 years. 15 years ago, Microsoft came and went. My boss tells me GTE with its many mainframes came and went 30 years ago, too. Folks see a trillion dollars and think "Fortune 1000" revenues and budgets - which never materialize - since its all about 25c per user, per month, per feature, since its all "public trust". Why go on about real estate? Because its "public trust" - in the final stage, using only comodity technology, largely settled law, and ordinary folks with ordinary education running the systems. NO defense trained folks, super spies, or managers with a direct line to the FBI. Its use of technology has to FIT, with those presumptions. The latest thing is just not interesting (another google wave). Things 5+ years old are "just" about interesting (eg. ws-fedp, SAML2, and now just about openid2) websso has been hard to gauge. Its had major impact on the systems-side of the industry in the last 5 years (and now we have at least 5 protocols in use, and an increasing trend for folks to define their own proprietary, simple tokens). As an industry, we dropped the SAML2 requirement (and insisted mere on the "use case" of websso). If folks decide on low-end tech, we deliver it - since the commodity marketplace has to FIND its happy medium. its now easy to mint 15 tokens, all variants of the same thing. Its not our place to insist on X. When I look at NSTIC, I think we (in our space) should be - at heart - taking a pass (for the first few years). Once aerospace has proven the point, once 5 government agencies are using it, and once the price has come down to cents, then (and only then) does it meet realty needs. Realty is the last adopter, when there is nothing left to argue about. At the same time, the typical realtor wants to be seen to endorse things like national programs (that just the kind of folks they are). They tend to be self-starters. So, while we wait, we also have to be keeping in touch, testing the waters to see when it hits commoditization point. (I was right to consider openid a false-commdization signal, note.) As I see it, we are in for another (2-5 year) round of quite-fundamental arguments (largely about bits and bytes, and systems of governance built into the bits and bytes flows). NSTIC is clearly the beginning of a (long) process, and not an imminent solution. Somehow, we have to endorse the mission so we actually land on the moon and dont just circle it). Perhaps that means, down here in the trenches, that we we just keep plugging away at the websso story, one business office at a time, building a grass roots receptivity (that will one day just flip-over, to the standard that EVERYONE else does).
Please note: I think this is a stupid idea. I'm only interjecting it because it's possible that the people who are smarter than me will say "Actually, . . . " >Before NSTIC came about it was clear to many people that having >multiple protocols and identity providers servicing smaller niches >is not an ideal situation. Decentralized also means scattered. A thousand smaller providers don't provide anywhere near the same level of assurance as a single strong (mil-spec) provider. But this problem seems familiar, somehow; didn't PGP try to solve a similar dilemma with its Web of Trust? I don't see how OpenID (or small providers thereof) could adapt the same solution, especially since we're speaking of companies (not individuals) and peer audits (which would still require some sort of standards anyway). -Shade 7C25 712A 4866 14B9 B08D FACD BB29 3326 3924 3E22
From: John Bradley <ve7jtb <at> ve7jtb.com>
To: Peter Williams <home_pw <at> msn.com>
Cc: openid-general <at> lists.openid.net
Sent: Tuesday, February 14, 2012 9:30 AM
Subject: Re: [OpenID] OpenID Providers Invited to Join in an NSTIC Pilot Proposal
Peter,
The thing that stopped openID 2.0 from being SP-800-63 LoA2 was the lack of protection of assertions from the Identity provider to the RP (No encryption or TLS protected direct communication)
The thing that also stops it from being LoA 3 is a lack of asymmetric signatures for non repudiation.
Support for PKI as the primary authenticator is the same for both openID 2 and SAML 2, and not one of the considerations.
OpenID Connect http://openid.net/connect/ which is currently being voted on by the membership as an implementers draft addresses both issues.
One might reasonably expect that once openID Connect is an approved specification FICAM will produce a profile of it, perhaps upto LaA 3 non Crypto or LoA 4 with Holder of key.
There is also a openID Connect interop currently taking place amongst a number of the open source implementations http://osis.idcommons.net/wiki/OC3_OpenID_Connect_Interop_3.
Foundation Members should read the proposed spec and vote for or against it as an implementers draft.
The reason for the implementers draft is that it locks in the IPR contributions of all the contributors (Google, MS, Facebook, and Me etc).
It also allows people to work on implementations without the spec changing weekly.
There will likely still be some changes from the implementers draft to the final version based on testing feedback.
We have been working on the specification in the openid-ab WG for several hers now so this should not be a big sup prise to anyone.
Regards
John B.
On 2012-02-14, at 2:09 PM, Peter Williams wrote:
>
> Well that was interesting.
>
>
>
> The shibolleth folks managed to setup a somewhat false distinction, 2+ years ago, with the help of several UK academics, to establish that the "protocol" of openid (v1 or v2) was inherently limited to LOA1 - by design nature. One sees this division BUILT IN to the ETSI work on nationa-id cards for future-telco, very clearly. Becuase SAML2 CAN be used with PKI, it was able "uniquely" to claim a space of being LOA2+ capable.
>
>
>
> NOw we learn that "openid connect" is not openid-2 (with bells and whistles). its an LOA2-capable definition, per se. Not knowing what openid connect is, I cannot really comment... In our space, we are still considering whether to turn on openid as-is (via the Microsoft STS bridge for websso protocols). openid as conceived is almost viable (now), to boostrap a professional agency/representation relationship.
>
>
>
> This move-up to LOA2 is going to restart a SAML2 war, since openid is not staying in its place (supporting blogging comments, and logon to a billion sites that "dont matter" - a phrase that is (c) UK academia).
>
>
>
> of course the distinction was false all along, but such are government programs - full of falseness and pretense and day-by-day political hashes. Its hard talking 2 storys out of your mouth at the same time - but thats what governing (and pre-competitive funding) is often all about.
>
>
>
> Perhaps folks here should all disclosure their "review" and 'influence" roles in the NSTIC program. John is quite open and fair and fully disclosed (if with a 6 month delay, so some proper use of FOUO can create effective working conditions for program management). Im not sure about others.
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> general mailing list
> general <at> lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
_______________________________________________
general mailing list
general <at> lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
_______________________________________________ general mailing list general <at> lists.openid.net http://lists.openid.net/mailman/listinfo/openid-general
John,
> The thing that stopped openID 2.0 from being SP-800-63 LoA2 was the
> lack of protection of assertions from the Identity provider to the RP
> (No encryption or TLS protected direct communication)
In the FICAM profile of OpenID 2.0, which you co-edited, I believe the
assertions are sent with TLS protection from the IdP to the browser
and from the browser to the RP. I realize that's indirect rather than
direct communication. But why the insistence on direct communication?
The browser has to be trusted anyway.
FranciscoFrom: John Bradley <ve7jtb <at> ve7jtb.com>
To: Peter Williams <home_pw <at> msn.com>
Cc: openid-general <at> lists.openid.net
Sent: Tuesday, February 14, 2012 9:30 AM
Subject: Re: [OpenID] OpenID Providers Invited to Join in an NSTIC Pilot Proposal
Peter,
The thing that stopped openID 2.0 from being SP-800-63 LoA2 was the lack of protection of assertions from the Identity provider to the RP (No encryption or TLS protected direct communication)
The thing that also stops it from being LoA 3 is a lack of asymmetric signatures for non repudiation.
Support for PKI as the primary authenticator is the same for both openID 2 and SAML 2, and not one of the considerations.
OpenID Connect http://openid.net/connect/ which is currently being voted on by the membership as an implementers draft addresses both issues.
One might reasonably expect that once openID Connect is an approved specification FICAM will produce a profile of it, perhaps upto LaA 3 non Crypto or LoA 4 with Holder of key.
There is also a openID Connect interop currently taking place amongst a number of the open source implementations http://osis.idcommons.net/wiki/OC3_OpenID_Connect_Interop_3.
Foundation Members should read the proposed spec and vote for or against it as an implementers draft.
The reason for the implementers draft is that it locks in the IPR contributions of all the contributors (Google, MS, Facebook, and Me etc).
It also allows people to work on implementations without the spec changing weekly.
There will likely still be some changes from the implementers draft to the final version based on testing feedback.
We have been working on the specification in the openid-ab WG for several hers now so this should not be a big sup prise to anyone.
Regards
John B.
On 2012-02-14, at 2:09 PM, Peter Williams wrote:
>
> Well that was interesting.
>
>
>
> The shibolleth folks managed to setup a somewhat false distinction, 2+ years ago, with the help of several UK academics, to establish that the "protocol" of openid (v1 or v2) was inherently limited to LOA1 - by design nature. One sees this division BUILT IN to the ETSI work on nationa-id cards for future-telco, very clearly. Becuase SAML2 CAN be used with PKI, it was able "uniquely" to claim a space of being LOA2+ capable.
>
>
>
> NOw we learn that "openid connect" is not openid-2 (with bells and whistles). its an LOA2-capable definition, per se. Not knowing what openid connect is, I cannot really comment... In our space, we are still considering whether to turn on openid as-is (via the Microsoft STS bridge for websso protocols). openid as conceived is almost viable (now), to boostrap a professional agency/representation relationship.
>
>
>
> This move-up to LOA2 is going to restart a SAML2 war, since openid is not staying in its place (supporting blogging comments, and logon to a billion sites that "dont matter" - a phrase that is (c) UK academia).
>
>
>
> of course the distinction was false all along, but such are government programs - full of falseness and pretense and day-by-day political hashes. Its hard talking 2 storys out of your mouth at the same time - but thats what governing (and pre-competitive funding) is often all about.
>
>
>
> Perhaps folks here should all disclosure their "review" and 'influence" roles in the NSTIC program. John is quite open and fair and fully disclosed (if with a 6 month delay, so some proper use of FOUO can create effective working conditions for program management). Im not sure about others.
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> general mailing list
> general <at> lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
_______________________________________________
general mailing list
general <at> lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
_______________________________________________ general mailing list general <at> lists.openid.net http://lists.openid.net/mailman/listinfo/openid-general
typically, the PC (and thus the browser, of any vendor) is regarded as untrusted - in the assurance controls world. First, the home PC controlled by the user (who is also not considered a trustworthy agent, formally, even when managing his/her OWN identity/attributes (!) ). yes, this distinguishes between trust and trustworthiness. Only the cloud vendors are trusted, to guage trustworthiness. The subscriber is NOT trustworthy, per se, and his/her equipment is usually unmanaged. Only other vendors are trustworthy as measured against a common standard, and common auditing standard. This is the whole "certification and accreditation" line of attack, not seen since the world of comsec controls and CCI equipment died (outside military circles) in the mid 90s. In a mandatory security/audit world (nomininally addressing the end-end privacy problem issue), one cannot have an untrustworth component contaminate the assurance betweten IDP and RP. Its a lowest common assurance level definition, and the PC brings the assurance level down to zero - since the user goes and installs some PC-proxy that intercepts and sends it an RP that is NOT on the IDP's governance list. so bearer-tokens are fine for websso, but not attribute exchange, under formal assurance doctrine. if there is end-end token encryption (and not 2 TLS tunnels connected at a PC) as in SAML2, the user/PC has little opportunity to interfere.
From: John Bradley <ve7jtb <at> ve7jtb.com>
To: Eddy Nigg (StartCom Ltd.) <eddy_nigg <at> startcom.org>
Cc: "openid-general <at> lists.openid.net >> 'openid-general'" <openid-general <at> lists.openid.net>
Sent: Tuesday, February 14, 2012 7:06 AM
Subject: Re: [OpenID] OpenID Providers Invited to Join in an NSTIC Pilot Proposal
As a customer of Eddie's service I can say that it works quite well given the limitations of browsers.Getting users to manage moving private keys and certificates from Firefox into an iPhone is not something most people are going to manage, given the current technology. (yes it is possible)One possible area of exploration is coupling Eddie's existing LoA 2 certificates with openID Connect to have a LoA 2 service.Doing that with openID 2.0 is still a LoA 1 service so not particularly interesting to NSTIC.Having long experience with PKI client auth there are many things that could be done to improve the experience for using it as a primary authenticator for SAML, openID 2.0 and OpenID Connect.It is probably best to separate the primary and secondary authenticator issues to some extent, especially if you are looking for a grant.OpenID is agnostic to the primary authenticator technology used by Identity providers. Some like StarSSL use PKI, others like Google are offering OTP, and SMS, and Mobio who are doing QR codes.We still have a lot of room for innovation with primary authenticators.The hardest work is perhaps the identity proofing and management at higher assurance levels, without that the value of the additional security is not apparent to a lot of people.There are a lot of things people can try and get NSTIC grants for.I don't know that the openID general list is necessarily the place to dig into the deployment details of PKI client auth though.Good luck with your grant proposal for those of you going after it.John B.On 2012-02-14, at 7:55 AM, Eddy Nigg (StartCom Ltd.) wrote:_______________________________________________
On 02/14/2012 06:46 AM, From Francisco Corella:I guess you mean that if the relying party downloads a certificate in
the body of an HTTP response with a content-type header whose value is
a MIME type indicating that the body contains a certificate, and if
Firefox "finds a valid key pair" then Firefox will import the
certificate automatically. Did I guess right?
Yes.Well, depending on the details, that could be a security hole. If the
valid key pair that Firefox finds consists of the publick key in an
existing certificate and the associated private key, Firefox could end
up replacing the existing certificate with one downloaded by an
attacker that binds the public key to the attacker's identity.
No, if an attacker could do that it'd be too late anyway, then he probably could impersonate the entire internet. "Finding" a public key that would match a private key is kind of impossible (with sufficient key size). But I'm not sure if this is the right forum for such crypto stuff.
Regards Signer: Eddy Nigg, COO/CTO StartCom Ltd. XMPP: startcom <at> startcom.org Blog: Join the Revolution! Twitter: Follow Me
general mailing list
general <at> lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
_______________________________________________
general mailing list
general <at> lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
_______________________________________________ general mailing list general <at> lists.openid.net http://lists.openid.net/mailman/listinfo/openid-general
From: Eddy Nigg (StartCom Ltd.) <eddy_nigg <at> startcom.org>
To: "openid-general <at> lists.openid.net >> 'openid-general'" <openid-general <at> lists.openid.net>
Sent: Tuesday, February 14, 2012 2:55 AM
Subject: Re: [OpenID] OpenID Providers Invited to Join in an NSTIC Pilot Proposal
On 02/14/2012 06:46 AM, From Francisco Corella:I guess you mean that if the relying party downloads a certificate in
the body of an HTTP response with a content-type header whose value is
a MIME type indicating that the body contains a certificate, and if
Firefox "finds a valid key pair" then Firefox will import the
certificate automatically. Did I guess right?
Yes.Well, depending on the details, that could be a security hole. If the
valid key pair that Firefox finds consists of the publick key in an
existing certificate and the associated private key, Firefox could end
up replacing the existing certificate with one downloaded by an
attacker that binds the public key to the attacker's identity.
No, if an attacker could do that it'd be too late anyway, then he probably could impersonate the entire internet. "Finding" a public key that would match a private key is kind of impossible (with sufficient key size). But I'm not sure if this is the right forum for such crypto stuff.
Regards Signer: Eddy Nigg, COO/CTO StartCom Ltd. XMPP: startcom <at> startcom.org Blog: Join the Revolution! Twitter: Follow Me
_______________________________________________
general mailing list
general <at> lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
_______________________________________________ general mailing list general <at> lists.openid.net http://lists.openid.net/mailman/listinfo/openid-general
RSS Feed