More secure future for OpenID?


Last year I was involved at OpenID and pushed - in opposition of the open and free concept of the OpenID standard - for two major changes. The first was to make it more secure by requiring Identity Providers (IDP) to run their authentication services SSL/TLS secured instead of plain text. The second was to provide authentication requirements and assurances. The later would allow a relying party (RP) to actually trust a user of an OpenID URI for authentication purpose, that he underwent some form of verification procedure and his identity is reasonable protected. Otherwise anybody can setup an IDP server and use it to spam forums and web logs at will - not to speak about higher verifications for other usage. Additionally once a user account has been compromised, it would allow access to all OpenID enabled sites - with no questions asked. These were the dangers I saw in particular and a reason why StartCom isn’t using it anywhere.

By now however, two additional policy extensions have made their way (as drafts) into the OpenID standard:

The former allows an RP to require certain security standards such as SSL/TLS encryption and enrollment properties (verification of the identity), the later provides a standard for a certain authentication requirement, such as digital certificates, smart cards, hardware tokens and OTP devices. I see with this two extensions, that OpenID is going into the right direction, so there is still no agreed standards body for IDPs and the verifications performed by the IDP is something which has to be strengthened further. I wonder what the authors of this standard are up to in the future…?

Also still something badly missing are libraries for scripting languages such as PHP which would implement those extensions and make deployment for relying parties (forums, blogs etc) easier. But for now I welcome the new extensions which might pave the way for the active participation of StartCom at OpenID, being it as a contributer, provider or relying party. It seems, that my participation at OpenID was not in vain and a more secure future awaits the OpenID framework!

Information and Links

Join the fray by commenting, tracking what others have to say, or linking to it from your blog.


Other Posts
Seasick with Compiz
The Revolution - History - Part 2

Write a Comment

Take a moment to comment and tell us what you think. Some basic HTML is allowed for formatting.

You must be logged in to post a comment. Click here to login.

Reader Comments

I think work is being done in the area of phishing (both Mozilla and Microsoft have announced for Firefox 3.0 / Vista).

At Barnraiser (http://www.barnraiser.org) we are writing PHP consumer/server classes that use the Diffie-Hellman shared secret as standard. These will be released in the Autumn under GPL (you can join this effort at http://openid.barnraiser.net).

My personal belief is that when a quality set of GPL’ed classes appears for OpenID 2.0 it will attract a wider discussion on security which in turn will lead to adoption of OP guidelines (such as SSL usage).