So you wannabe an OpenID provider?

We have been discussing OpenID inside Sun and, as of last spring, set up an OpenID identity provider for employees to use. This has not been without some discussion and a few lessons not necessarily learned, but at least considered.

Coming from a background of "Trust everyone, but always cut the deck", OpenID has an attraction to me, but also sets off warning lights. I regularly look at about six different newspapers. Each has a different username or password. Wouldn't it be convenient to have a way to identify myself with a common chit at each one? Adding another newspaper would be as simple as typing in my OpenID URL. Since all I want to do is read a few articles, I wouldn't care much if any, or all, of my newspaper-reading IDs got compromised.

There is generally little risk associated with this activity. Arguably, if I worked at the White House and my compromised account revealed I was an avid reader of Mother Jones News, it could be a career-limiting move.

But, I digress.

The result of a meeting in which concerns were raised, teeth were gnashed and hands were wrung, was to make sure users of OpenID know its appropriate applications and limitations. Deployment is less about whether to use "https" instead of plain "http", than it is about user education.

In fact, the illusion of more secure connections using https with OpenID instead of http is just that; illusory. Secure http connections are based on the assumption that the provider is using a trusted certificate authority. For example, a typosquatter could take advantage of the fact that I type 20 words and 30 mistakes/minute and register adb.com instead of adn.com. When I want to read the Anchorage Daily News and mistype the URL, I would end up at an unintended location. I might get a clue something was amiss when I was asked to approve an untrusted certificate, but my mother might have been trained to always hit 'continue' to all the aggravating pop-ups if she wants to get something done. At that point, the trust implied in an https connection would be compromised by accepting the certificate.

Since there is no central OpenID authority, just like there are 50 different licensing bureaus for driving in the US, I am being asked to trust the equivalent of a Hawaiian driver's license with the name McLovin.

According to Sun's OpenID policy,

OpenID is an untrusted protocol. Sun has no liability for what happens to any information you give to a third-party web site using this service. Most OpenID-enabled sites are genuine but some may be phishers or other rogues.

After user education, the rest is easy.

Posted at 12:06AM Sep 01, 2007 by Steven Nelson in Security  | 

Why?

What prompted this sudden rush to action?

I was having a conversation about OpenID today. During the call, a recurring theme rolled through my mind and this blog was the result.

Don't get me wrong; I think there is a place for OpenID. But it's one of those things like walking through an airport in your socks that makes me scratch my head. Do people know why their toothaste has suddenly been rendered safe by being put behind a protective 2 mil plastic shield? Why put a lock on a glass door? Do smokers ever read the packages, and how cool are the gruesome pics on Canadian cig packs?

I am working with an interesting group of people here at Sun on an OpenID project. Some of the discussion has been quite entertaining and as soon as I finish a research paper that is due this week, I'll come back and share some delusions - and possibly some recognition and avoidance points.

Posted at 06:16PM Aug 29, 2007 by Steven Nelson in Security  | 

First

Well, that's out of the way.

Posted at 05:41PM Aug 29, 2007 by Steven Nelson in Personal  |