« September »
Locations of visitors to this page

Powered by blojsom

Radovan Semančík's Weblog

Friday, 14 September 2007
« Software Engineering | Main | Yo Ho Ho! »

OpenID. Really interesting system. It does use the classic "There and Back Again" approach to single sign on (re-directing user to Identity Provider and then back to Service Provider). It inherits most of the problems of LID and SXIP (see my old paper). That is quite expected.

What is not expected is that the guys cannot take the lesson. They do the basic Diffie-Hellman key agreement. But they do not think much about authenticating the keys. Which is ages old mistake with D-H algorithms. They expect that the when the key comes from the right location, it must be authentic. Well, to be honest there is a way how to authenticate the key, using HTTPS. Which in turns takes us to SSL/TLS and to X.509.

Now, let's have a look. We have Diffie-Hellman that is foolishly insecure without SSL. So we are going to use SSL. Now we have pretty much secure connection between relying party and OpenID provider. So why bother with Diffie-Hellman? Why we just cannot exchange shared secret directly?

I do not understand the inconsistencies in OpenID design. But regardless of that, it seems to work and gain acceptance. And it is so foolish simple thing, that it may become popular after all. King of the Fools. Such things just happens ... sometimes (read: all the time).

I'm not going to dig into trust issues of OpenID and HTTPS/X.509 today. Maybe later ...

Update: I've almost forgot. Thanks to Dave Kearns who have provoked this rant. Foolish me. :-)

Posted by semancik at 12:53 AM in Identity

Add your comment:
(not displayed)
Generate another code

Please enter the code as seen in the image above to post your comment.
Your comments will be submitted for approval by blog owner to avoid comment spam. It will not appear immediately. Also please be sure to fill out all mandatory fields (marked by asterisk). This ... ehm ... imperfect software does not have any error indication for missing input fields.


[Trackback URL for this entry]