{"id":655,"date":"2007-01-20T15:20:28","date_gmt":"2007-01-20T23:20:28","guid":{"rendered":"\/?p=655"},"modified":"2007-01-20T22:05:16","modified_gmt":"2007-01-21T06:05:16","slug":"dmitry-shechtmans-underdevelopment-blog","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=655","title":{"rendered":"Dmitry Shechtman&#39;s Undevelopment Blog"},"content":{"rendered":"<p>So much is happening in the identity discussion it&#39;s hard to keep up with it.&nbsp; Through the miracles of ping-back I came across&nbsp;<a href=\"http:\/\/blog.phpbb.cc\/\">The Undevelopment Blog<\/a> by Dmitry Shechtman, and <a href=\"http:\/\/blog.phpbb.cc\/2007\/01\/20\/identity-manager-a-browser-based-solution-to-openid-phishing\/\">this posting<\/a>&nbsp;on a new proposal called Identity Manager:&nbsp;<\/p>\n<blockquote><p>It seems like the OpenID community is currently bothered with the following two questions:<\/p>\n<ol>\n<li><a title=\"Links: OpenID Phishing Heaven\" href=\"http:\/\/www.links.org\/?p=187\">OpenID facilitates phishing<\/a>. What can be done about this?<\/li>\n<li><a title=\"O&#39;Reilly Radar: FireFox 3.0 Requirements Are Out\" href=\"http:\/\/radar.oreilly.com\/archives\/2007\/01\/firefox_30_requ.html\">FireFox 3.0 will have CardSpace and OpenID support<\/a>. What does that mean?<\/li>\n<\/ol>\n<p>I <a title=\"External Authentication and OTP\" href=\"http:\/\/blog.phpbb.cc\/2007\/01\/12\/external-authentication-and-otp\/\">addressed<\/a> the OpenID <strong>phishing problem<\/strong> even before it became wildly discussed. Unfortunately, the method wasn\u00e2\u20ac\u2122t <a title=\"External Authentication: Followup\" href=\"http:\/\/blog.phpbb.cc\/2007\/01\/13\/external-authentication-followup\/\">foolproof<\/a>, to say the least. <a title=\"Simon Willison: Solving the OpenID phishing problem\" href=\"http:\/\/simonwillison.net\/2007\/Jan\/19\/phishing\/\">Several<\/a> <a title=\"Hans Granqvist: OpenID and phishing\" href=\"http:\/\/commented.org\/blog\/2007\/1\/19\/openid-and-phishing.html\" class=\"broken_link\">other<\/a> suggestions have been brought up, but none seemed to solve the problem without making OpenID unusable.<\/p>\n<p><a title=\"Identity Blog\" href=\"https:\/\/www.identityblog.com\/\">Kim Cameron<\/a> of Microsoft has been <a href=\"\/?p=649\">repeatedly<\/a> <a href=\"\/?p=650\">promising<\/a> to elaborate on how <strong>CardSpace and OpenID<\/strong> could converge. Although he has yet to keep his promise, we can make an educated guess. We recently saw the FireFox extension <a title=\"FireFox Identity Selector\" href=\"http:\/\/xmldap.org\/\">Identity Selector<\/a> act as an in-browser <a title=\"Combining CardSpace and OpenID\" href=\"http:\/\/xmldap.blogspot.com\/2006\/12\/combining-cardspace-and-openid.html\">OpenID-to-InfoCard bridge<\/a>. That is definitely something CardSpace folks would love to see as a standard browser feature, since it would effectively turn an OpenID into nothing more than a fairly insecure InfoCard.<\/p>\n<p><a title=\"Identity Blog\" href=\"https:\/\/www.identityblog.com\/\" \/><a id=\"more-83\" \/>Of course, OpenID could simply <a href=\"http:\/\/article.gmane.org\/gmane.comp.web.openid.general\/3823\">dismiss<\/a> CardSpace (I was trying to get into the average kool-aid drinker\u00e2\u20ac\u2122s shoes). Or it could very well learn from it. The CardSpace <strong>UI<\/strong> seems very intuitive:<\/p>\n<ul>\n<li>A <em>Sign In<\/em> button on a website<\/li>\n<li>An identity selection dialog<\/li>\n<li>Seamless <strong>secure<\/strong> login<\/li>\n<\/ul>\n<p>This is exactly what OpenID needs in order to become both widely used and insusceptible to phishing. And since CardSpace planned support is now a reality, why shouldn\u00e2\u20ac\u2122t OpenID be integrated? This is no trivial requirement, but one that can be met with some additions to the browser logic.<\/p>\n<p>The combination of UI and business logic outlined in this proposal is dubbed <strong>Identity Manager<\/strong>. The proposal uses informal language (<em>should<\/em>, <em>must<\/em>, <em>be<\/em> and <em>do<\/em> are used interchangeably); handle with care.<\/p>\n<p>Whenever a web page presents an OpenID sign in option, the OpenID field and the <em>Sign In <\/em>button are replaced by a single <em>OpenID Sign In<\/em> button. Moreover, separate <em>OpenID Sign In<\/em> and <em>CardSpace Sign In<\/em> buttons are replaced with a <em>Secure Sign In<\/em> button.<\/p>\n<p>Once such a button is pushed, an Identity Manager window is presented with a list of the user\u00e2\u20ac\u2122s identities \u00e2\u20ac\u201d OpenIDs, InfoCards or both, depending on what the relying party accepts. The user must be able to decline; we treat this case as trivial. The user must be able to make a persistent selection (e.g. a checkbox with the text <em>Always use this ID for example.com<\/em>).<\/p>\n<p>(<a href=\"http:\/\/blog.phpbb.cc\/2007\/01\/20\/identity-manager-a-browser-based-solution-to-openid-phishing\/\">Dmitry&#39;s piece continues here&#8230;<\/a>)<\/p><\/blockquote>\n<p>I would never&nbsp;characterize OpenID as &#8220;nothing more than a fairly insecure infocard&#8221;.&nbsp;It is a system where the root of trust is&nbsp;defined to be <strong>control over the content at a URL<\/strong>.&nbsp; Folks, this is innovative.&nbsp; I like it as&nbsp;what I call an &#8220;underlying identity system&#8221; that should live within the identity metasystem.&nbsp; Given&nbsp;its theoretical starting point in terms of trust, <em>OpenID&nbsp;has the security characteristics, good and bad, of the Internet which it harnesses in the name of identity<\/em>.&nbsp; That makes it very exciting, especially for bottoms up use cases involving public personna.<\/p>\n<p>But &#8220;exciting&#8221; doesn&#39;t mean &#8220;good for every purpose.&#8221;&nbsp;&nbsp;OpenID won&#39;t replace all other forms of digital identity!<\/p>\n<p>Is it necessary to explain further?<\/p>\n<p>I&#39;m fine with blog comments being associated with my URL.&nbsp; But I don&#39;t want access to my bank account to be gated by nothing more than <em>the ability to set the header in what a system thinks is<\/em> <a href=\"https:\/\/www.identityblog.com\/\">https:\/\/www.identityblog.com<\/a>&nbsp;(I&#39;m&nbsp;thinking here&nbsp;about all the potential attacks on DNS as well as the ways in which third parties could gain unauthorized access to&nbsp;my page).&nbsp;<\/p>\n<p>My site is hosted&nbsp;by the good people at <a href=\"http:\/\/www.textdrive.com\/\">http:\/\/www.textdrive.com<\/a>.&nbsp; As administrators of the shared systems there, they&nbsp;could certainly, for example,&nbsp;gain access to my pages.&nbsp;<\/p>\n<p>Are their employees bonded?&nbsp;&nbsp;Do they practice strict&nbsp;separation of duties for access to web pages?&nbsp; Do they have HR practices that will protect them from organized crime?&nbsp; I don&#39;t think so!&nbsp; And if they did,&nbsp; wouldn&#39;t they turn into&nbsp;the world&#39;s&nbsp;most&nbsp;bureaucratic mess as a web hosting service?&nbsp; Their flexibility and personal touch is what makes them so good.&nbsp; I like them just as they are, thank you very much.<\/p>\n<p>So&nbsp;it all comes&nbsp;back to the Laws of Identity.&nbsp; There will be a pluralism of providers and technologies, optimal in different use cases.&nbsp;&nbsp;And, as the potential phishing attacks demonstrate,&nbsp;there&nbsp;remains the requirement of giving users a&nbsp;consistent and controlled experience across these multiple systems.<\/p>\n<p>My conclusion?<\/p>\n<p>Combine CardSpace (insert&nbsp;your favorite replacement identity selector here) with OpenID and you have the best of both worlds.&nbsp; You have the web-based identity system.&nbsp; You have a consistent anti-phishing user experience.&nbsp; And you have continuity between OpenID and other underlying systems in a metasystem.&nbsp; Wouldn&#39;t we all want this?<\/p>\n<p>As Dmitry reports, I have&nbsp;promised to share my own technical ideas about how to move forward but haven&#39;t come through on&nbsp;my promise yet.&nbsp; So I&#39;m going to do that now.&nbsp; One idea is very simple (and effective) &#8211; I&#39;ll start with that.&nbsp; The second is in many ways more interesting (at least to me)&nbsp;but I need to explain a bit more about managed cards before I get to it.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>OpenID is a system where the root of trust is defined to be control over the content at a URL. <\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[16,2,8,15,3,22],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/655"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=655"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/655\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=655"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=655"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=655"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}