On Wed, 2007-04-04 at 20:02 +0000, Vinay Gupta wrote: > On Apr 4, 2007, at 7:43 PM, Douglas Otis wrote: > > Hm. Well, I don't to suggest that we tear off fixing or expressing > the whole semantics of PKI, but I do think that some care should be > taken to make sure that it's clear what the security status of a > returned key is. Problems like Confused Deputy can easily arise when > you start dealing with registry systems which aren't under really > tight control. > > I don't have a neatly packaged solution for this, but we're dealing > with situations which can have very significant legal repercussions: > digital signatures are legal for some kinds of transactions in some > jurisdictions, and however this is handled is has to have some > approach to the questions of "what is they key good for, and who says
OpenID appears fairly prone to phishing exploits, as it expects a user to pay close attention to where they end up and the other URL involved. OpenID could evolve into offering public keys during the initial logins along with other identity attributes that could help solve this problem. The RP could retain keys for some period since last use to suppress the number of times OpenID is invoked. Rather than an expiry, the attribute might want to be defined differently. Some key agent would be needed that replicates the authentication process now available using SSH. This does not depend upon certificates, but rather a simple list of public keys. Once this concept becomes routine, other applications will likely include this mode of operation where identifying the application becomes important. This would _not_ be a certificate as you seem to imply. Try to keep it simple, but if an attribute can include a Time to Live or Expiry parameter, then it would be nice to have a class of attributes identified as public keys with sub-attributes for the application, where the default would be some OpenID compliant HTTP access scheme. An application that would not require development, other than maintaining a list of keys, would be SSH. Although perhaps too complex for the average user, SSH could also be used to authenticate web access. This is standard for any Unix based OS, and could be found by using Putty and Pageant on a Windows platform. There is even an interesting version of this that runs from a USB flash: http://www.chiark.greenend.org.uk/%7Esgtatham/putty/ Although the world demands GUI, terminal interfaces already offer a powerful set of tools for doing exactly what is needed. Public key cryptography reduces the overhead and security concerns substantially. This may also provide an alternative for rather complex OpenID extensions that will likely over reach with respect to security. -Doug _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
