We need a spectrum

Stefan Brands runs off in the wrong direction in his recent treatise on OpenID.  Who really needs a “shock and awe” attempt to bonk the new OpenID “cryptographic primitives” back into the stone age?

It's not that you shouldn't read the piece; even though subtlety is not its strong suit, it brings together a lot of information about a threat model for OpenID.

The main problem is simply that it misses the whole point about why OpenID is of interest.

Stefan’s second paragraph betrays what I fear are advanced symptoms of inventor’s disease: loss of perspective and the illusion that one’s own technology should be used for everything.

Consider this:

OpenID was designed as a lightweight solution for “trivial” use cases in identity management: its primary goal is to enable Internet surfers to replace self-generated usernames and passwords by a single login credential, without needing more than their browser.   Concretely, OpenID aims to enable individuals to post blog comments and log into social networking sites without having to remember multiple passwords…

“Beyond this, OpenID is pretty much useless…”

Rewind.  Isn't this a bit like saying, “Beyond being a food, rice is pretty much useless…”?  To be useful, rice doesn't have to be the single food that solves all our cravings and nutritional needs, day and night.  It just needs to be good as, well, as rice.

Moving beyond metaphor, we have to ask what “trivial” is supposed to mean…

Oxford University Press comes to the rescue:  “Of little value or importance; concerned only with trifling or unimportant things.”

Hmmm.  How did Stefan, by day the friendly cryptographer working to protect our privacy, suddenly become the arbitrer of what is trivial and worthwhile and what isn't?

Suddenly, social networking is trivial.  Blogging is trivial.  Internet browsing is trivial.  In fact most of what most of us do on the internet is trivial.  (Could we be trivial too?)

But then morning comes, and Stefan returns to his studied analysis and professorial stance as though no norms have been violated.  Even so, the fabric of his argument has been damaged.

Daily life on the web is not trivial.  Getting identity right in the basic web social contexts would mean a lot to everyone.  In fact, I doubt anything would do more to bring an understanding of digital identity into our culture and society.

So Stefan should shy away from dismissing these scenarios – even if they don’t require his admittedly excellent crypto technology to address them.  

In fact the suitability of lightweight technology to solving social networking problems leads Stefan to worry that it will be adopted for other more complex purposes:  banking, government identity, private relationships. 

Is this worry warranted?

Has anyone seen any signs of banks and governments kneeling at the altar of OpenID? They all seem to have adult supervision, and experts who understand that their scenarios call for stronger protection, and involve risk.  I counsel Stefan not to worry that he is the only one to understand security threats. Security experts have admittedly been slow to pick up on privacy issues, and I understand why this irks Stefan – in fact I empathize – but let’s not exaggerate: the security community does get the notion of threat analysis.

Popping up a level, we need a spectrum of solutions to identity problems.  Ergo, the identity metasystem.

We need identity solutions like OpenID that lend themselves to easy, rapid, widespread deployment in contexts where the cost of concerted professional attacks would not be warranted.  This can help us get the ball rolling by providing a common denominator for our public persona.

We also need technologies for commercial web interactions that are honed for privacy, for safety,for the life of the digital citizen and knowledge worker. 

I wrote about these issues while documenting the Fifth Law of Identity:  the requirements of different use cases are in many cases contradictory. The lesson driven home since then by our friends at OpenID is that the lightweight end of this spectrum can enable lots of good scenarios, and unleash interest in new technologies that resolve the problems posed by the more complicated use cases. 

The spectrum of technologies comprising the identity metasystem would benefit from a suggestion made recently by Bob Blakley of the Burton Group. He argues that the OpenID specification should include an articulation of the constraints on what it is attempting to achieve.

I agree, with the proviso that other protocols, like SAML 2.0 and WS-Federation, should do the same.  All these protocols are good in different ways and subject to attacks of various kinds – and seem to have proponents who argue they should be used everywhere for everything – constraints be damned!

Bob proposes the following as the relevant questions:

1. What are the assets a given system is meant to protect?

2. What are the services offered?

3. What quality of protection is claimed for these services?

4. What is the threat model?

5. What is the trust model?

There needs to be one more question, along the lines of “What factors constrain the deployment of this technology for internet activities?” I can believe this is some kind of refinement of question #1.

In other words:  it is important that we grasp both the heaviness and the lightness of being.

Published by

Kim Cameron

Work on identity.

7 thoughts on “We need a spectrum”

  1. A bunch of space is spent decrying the use of the word “trivial” when I think it makes perfect sense in the original context – OpenID is for sites with “trivial” security requirements, which isn't to suggest that the applications themselves are trivial or unimportant. It seems fitting to say that a site's security requirements are trivial if all it does it force free registration for the sake of posting, or some such, which is exactly what OpenID so perfectly solves.

    And, yes, rice is good. The danger is that somebody will try to sell that rice as a gourmet meal. You suggest that that shouldn't be such a concern, but in practice it is. At the July Concordia conference we saw the likes of Boeing debating whether OpenID could solve some of their external access problems! Of course, they probably have ample security staff on hand to make arguments back and forth and delineate an overall posture, etc. But at many smaller companies the person making security decisions is just the person who knows the most about security (I was unofficial security guy at a company I worked at for two years), and there are definitely posts out there hyping OpenID as very secure.

    Above it also says “concerted professional attacks would not be warranted.”, but it doesn't take a concerted professional attack to break OpenID. My site is https://www.embracetherandom.com. Even though I am using HTTPS, any employee at my hosting service can edit my site; if I weren't using HTTPS then any individual that can spoof DNS or alter the data in transit can effectively edit my site. These attacks take a minor amount of focus, but are my no means limited to well funded professionals. In addition, I suspect there is more value than people realize is tying together identity across social networking sites, enough that private investigators and the like are probably already looking into OpenID attacks. Then again, they need not go through all that if they just want to phish for the main password, which is a more valuable target the more sites the account is linked to, and is something which OpenID is pretty vulnerable to.

    All that said, I agree a spectrum is better than a binary security bit. But that spectrum needs to be realistically defined and well publicized. Ideally OpenID needs some solid user security studies in the wild.

  2. What I don't understand is that almost nobody seems to care about ease of use. OpenID is terrible in this regard. I have to manage all my data on an external website and whenever I want to login I have to enter a long URL. Not only that, I actually have to create an account in advance before I can login on some other website. With CardSpace I can do that on-the-fly when logging in for the first time.

    When linked with information cards, OpenID can at least save me the need to type in the URL, but I still have to go to the OpenID provider to change my details. What's the point of OpenID cards if I can as well just create a self-issued card that is much easier to edit and doesn't force me to enter a password?

    Moreover, creating an OpenID and importing the card is much more complicated than just creating a self-issued card (esp. on-the-fly when trying to login).

    Even in low-security situations like blog comments I'd always prefer self-issued cards because they're easier to use. I don't believe that OpenID will grow beyond the geek market if people can also use CardSpace.

    The only advantage of OpenID is that I don't need to carry my ID with me, but if websites allow for linking multiple cards with the same account then that's not a huge problem, either. Also, you could make it possible to automatically synchronize the information cards with a flash drive or even the mobile phone (via Bluetooth?) and, when using a foreign computer, allow for directly accessing the cards on the flash drive without importing any of them on that computer.

Comments are closed.