Sunday, July 27, 2008

OpenID gets the third degree at OSCON

From Nathan Willis at OpenID gets the third degree at OSCON

"Another audience member raised a more serious issue, asking whether OpenID's security model had been reviewed and vetted by security and cryptography professionals, citing the slide in Willison's presentation that abstracted part of the OpenID authentication process as "then magic happens." Why should we trust this magic, the audience member asked, when new attack vectors still threaten even established, vetted systems like SSL?

Several of the panelists insisted that OpenID should be considered a work in progress, one that would never provide perfect security but should be actively maintained and watched for exploits. Tom said that Yahoo!'s engineering team had examined OpenID and found it to be at least as good as the company's proprietary authentication system, adding "cryptography is not rocket science."

Others asked about domain hijacking of OpenID URLs, privacy, and single-point-of-failure concerns. For some topics, the panel members had concrete answers, for others they did not. At one point Tom declared OpenID "essentially a streamlined reset-password-by-email process." And I found it amusing when, near the end, one audience member asked how many different OpenIDs the panelists had -- and the answers were "four or five," "half a dozen," and "seven or eight."

But it was all in good fun. Culver, after all, wasn't actually taking the gloves off; the panel had asked her beforehand to hassle them during the Q&A. And Kveton's opening remark was "I love OpenID, but it sucks."

There are a lot of misunderstandings about OpenID, some of which are the result of its creators, and some the result of real-world implementations that universally blur the distinctions between identity, authentication, and security. OpenID really only defines the first, but deploying a single sign-on solution involves all three. How to make that clear to the average Web user is the challenge."

No comments: