Report from IIW…

December 17th, 2007

I’ve finally uploaded some photos from Phil Windley’s not-to-miss 2007 Internet Identity Workshop a few days ago. It was a great event and yielded some awesome discussions.

I moderated a session titled “Which IDPs can you trust”. After some discussion, the title became “How do you know at what level to trust an IDP?”. That yielded two other problem areas (1: a common way of describing levels of trust, and 2: how to convey that to relying parties).

The session was mostly around the problem of phished Identity Providers (IDPs), which is structural in nature. Basically, a Relying Party (RP) sends a user off to authenticate their OpenID and what happens if that third party is compromised?

Whiteboard 1 of 3
A user signs into a website (aka Relying Party), which authenticates that ID with an IDP before continuing to a transaction. There are two classes of problems:
1 – phishing, or 2 – bad IDPs… after some discussion, we agreed that a phished IDP is essentially a bad actor, so a bad IDP became the real problem.

Whiteboard 2 of 3
We then listed different possible methods of solving the authentication problem
- black lists
- white lists
- closed circles
- authentication certificates
- reputations (using a scoring mechanism)
- trust networks

Whiteboard 3 of 3
Here, we listed some use cases and various authentication implementations (note the cool use of the equal sign :) An interesting outcome evolved. Basically, for ‘lite’ authentication, OpenID sufficed, but for any important transaction involving more than just email authentication, a higher order solution is required.

ID USAGE SOLUTION
=blogging OpenID
=email or internet OpenID
=Social Networking OPenID
=e-government Cardspace, SAML, PKI or custom sol’n
=e-commerce same as above
=financial mgmt same as above
=medical transaction same as above

The bad news is that the space is still nascent and very much risks descending into the hell that email and ISPs have become (e.g. blacklisting of ISPs on a per domain basis). The good news is that the use cases are getting clearer and different technical solutions are being implemented. OpenID is rapidly becoming the authentication mechanism of choice for basic internet usage.

Entry Filed under: Internet & Technology

1 Comment Add your own

  • 1. You’ve Got Ismail! &hellip  |  May 8th, 2010 at 1:18 pm

    [...] attended and spoken at two or three IIW workshops and having worked on Angstro with Rohit Khare for a while now, I think [...]

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Trackback this post  |  Subscribe to the comments via RSS Feed

Twitter Updates

    Calendar

    September 2010
    M T W T F S S
    « May    
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  

    Most Recent Posts