Stefan Brands runs off in the wrong direction in his recent treatise on OpenID. Who really needs a â€œshock and aweâ€ attempt to bonk the new OpenID “cryptographic primitives” back into the stone age?
It's not that you shouldn't read the piece; even though subtlety is not its strong suit, it brings together a lot of information about a threat model for OpenID.
The main problem is simply that it misses the whole point about why OpenID is of interest.
Stefanâ€™s second paragraph betrays what I fear are advanced symptoms of inventorâ€™s disease: loss of perspective and the illusion that oneâ€™s own technology should be used for everything.
OpenID was designed as a lightweight solution for â€œtrivialâ€ use cases in identity management: its primary goal is to enable Internet surfers to replace self-generated usernames and passwords by a single login credential, without needing more than their browser. Concretely, OpenID aims to enable individuals to post blog comments and log into social networking sites without having to remember multiple passwordsâ€¦
“Beyond this, OpenID is pretty much useless…”
Rewind. Isn't this a bit like saying, “Beyond being a food, rice is pretty much useless…”? To be useful, rice doesn't have to be the single food that solves all our cravings and nutritional needs, day and night. It just needs to be good as, well, as rice.
Moving beyond metaphor, we have to ask what “trivial” is supposed to mean…
Oxford University Press comes to the rescue: “Of little value or importance; concerned only with trifling or unimportant things.”
Hmmm. How did Stefan, by day the friendly cryptographer working to protect our privacy, suddenly become the arbitrer of what is trivial and worthwhile and what isn't?
Suddenly, social networking is trivial. Blogging is trivial. Internet browsing is trivial. In fact most of what most of us do on the internet is trivial. (Could we be trivial too?)
But then morning comes, and Stefan returns to his studied analysis and professorial stance as though no norms have been violated. Even so, the fabric of his argument has been damaged.
Daily life on the web is not trivial. Getting identity right in the basic web social contexts would mean a lot to everyone. In fact, I doubt anything would do more to bring an understanding of digital identity into our culture and society.
So Stefan should shy away from dismissing these scenarios – even if they donâ€™t require his admittedly excellent crypto technology to address them.
In fact the suitability of lightweight technology to solving social networking problems leads Stefan to worry that it will be adopted for other more complex purposes: banking, government identity, private relationships.
Is this worry warranted?
Has anyone seen any signs of banks and governments kneeling at the altar of OpenID? They all seem to have adult supervision, and experts who understand that their scenarios call for stronger protection, and involve risk. I counsel Stefan not to worry that he is the only one to understand security threats. Security experts have admittedly been slow to pick up on privacy issues, and I understand why this irks Stefan â€“ in fact I empathize â€“ but letâ€™s not exaggerate: the security community does get the notion of threat analysis.
Popping up a level, we need a spectrum of solutions to identity problems. Ergo, the identity metasystem.
We need identity solutions like OpenID that lend themselves to easy, rapid, widespread deployment in contexts where the cost of concerted professional attacks would not be warranted. This can help us get the ball rolling by providing a common denominator for our public persona.
We also need technologies for commercial web interactions that are honed for privacy, for safety,for the life of the digital citizen and knowledge worker.
I wrote about these issues while documenting the Fifth Law of Identity: the requirements of different use cases are in many cases contradictory. The lesson driven home since then by our friends at OpenID is that the lightweight end of this spectrum can enable lots of good scenarios, and unleash interest in new technologies that resolve the problems posed by the more complicated use cases.
The spectrum of technologies comprising the identity metasystem would benefit from a suggestion made recently by Bob Blakley of the Burton Group. He argues that the OpenID specification should include an articulation of the constraints on what it is attempting to achieve.
I agree, with the proviso that other protocols, like SAML 2.0 and WS-Federation, should do the same. All these protocols are good in different ways and subject to attacks of various kinds – and seem to have proponents who argue they should be used everywhere for everything – constraints be damned!
Bob proposes the following as the relevant questions:
1. What are the assets a given system is meant to protect?
2. What are the services offered?
3. What quality of protection is claimed for these services?
4. What is the threat model?
5. What is the trust model?
There needs to be one more question, along the lines of â€œWhat factors constrain the deployment of this technology for internet activities?â€ I can believe this is some kind of refinement of question #1.
In other words: it is important that we grasp both the heaviness and the lightness of being.