Friday, November 03, 2006

Is OpenID Snake Oil?

Of course not, but here's a concern that the very enthusiastic proponents of this (and other) schemes don't seem to worry about.

So, if i register as Bill Gates on OpenID, post a blog with a picture I scraped from Wikipedia, and then start blogging on how much I love BSD and how I was forced to work at Microsoft all those years by aliens...then users of your system could detect that this is phony, and really NOT bill gates?

I now control billgates.pip.verisignlabs.com. I opened an account on LiveJournal. Now, I can post whatever I want and as long as the users don't explicitly apply a healthy amount of scrutiny, what's to stop me from influencing world events? And how often do the consumers of mass media scrutinize what they're reading?

So, here comes a very reasonable, and laudable project - OpenID - that wishes to make it "easier" to trust id through Diffe-Hellman shared secrets. Interesting? Yes. Open and therefore fully trustworthy? NO!

People trust authority. People want to trust governments and companies. They can't, but they want to. People trust what people see other people doing. Therefore, if OpenID is successful, and governments and companies do rely on them, then abuse of this scheme could cause trouble via mistaken or deliberately stolen urls/ids/etc:
* lost Jobs
* lost business
* lost credibility

Employers are now searching candidates on Google and blogs. Imagine "John Smith"...what if there are 5 of them in your town? What if one of them is a Neo-Nazi? What if the employer HR person doesn't have 30 minutes per candidate to scrutinize all these blogs and verify true human identity? What if their HR system AUTOMATICALLY trusts OpenIDs!!

Paranoia? Of course. Should be be concerned? I think so. Is it better than what's out there? Probably, but I reserve judgment.

Reprise:
Kim Cameron has a concise, brilliant synopsis of a valid and useable id system:
"Whatever it is, a real identity system needs us to do a lot better. In particular, the identity system must extend to and integrate the human user.
The Law of Human Integration
The universal identity system MUST define the human user to be a component of the distributed system, integrated through unambiguous human-machine communications mechanisms offering protection against identity attacks.
One of the people who has thought long and hard about these issues is Carl Ellison. He has coined the term Ceremony for interactions that span a mixed network of human and cybernetic system components. Carl worked on this idea when he was at Intel and I interview him about his work here." -- KC's blog

5 comments:

Robert A. Ficcaglia said...

I dialed back the "humor" and sarcasm. I know the folks at OpenID are trying to do good work, and not all people share my very caustic sense of humor (so my wife reminds me). So rather than risk offending anyone, I felt some editorial revision was in order.

David Recordon said...

Robert,
I think the issues you raise are definitly valid, though the same problem also exists if I go register bill.gates@msn.com. What OpenID enables is the ability for attributes to become verified, by trusted parties, as the technology continues to evolve. I liked the tone of your post though, some humor is always good. :)

--David

Robert A. Ficcaglia said...

True - it is much easier to criticize without provding a solution. And, I do agree OpenId represents a positive step forward than what exists today. To be completely open myself, Johannes Ernst did present a much less sanguine and more pragmatic view. His insights, unfortunately, were quickly drowned out by more boisterous evangelists. What I witnessed was the healthy initial skepticism of participants quickly engulfed by the foment.

Security frameworks are difficult to design and even harder to implement. They take lots and lots of vetting. I am not suggesting we stop forward progress, but I certainly think that as security professionals, it is our responibility to educate and debate more than get press and hype. Especially with respect to identity.

Thanks for the vote of confidence on the humor side...if this tech career doesn't work out, maybe there's a job as professional comedian :)

Robert A. Ficcaglia said...

Having taken such a negative posture --- I deemed it responsible to review the spec more carefully, and it quite clearly states its goal:
"OpenID Authentication provides a way to prove that an End User owns an Identifier."

So, for this purpose, I completely approve of OpenID. That said, it won't prove that someone does NOT own a URI as discussed in the post, or that a human is in any way identified by that URI. After all, there are automated attacks possible. So, if your interest is to simply associate a URI with a username on your Web 2.0 site...I will gladly help you use OpenID. If you want to identify humans, on the other hand, I would not use it currently for aything more than blog-o-lic.i.o.us data that you don't ever think anyone will read or use against you in a job interview, dating scenario, legal venue, salary review, marital discussion, financial transaction, etc.

I do have a solution in mind to uniquely identify humans: offer a free Big Mac. You'd be surprised how many humans on this planet will gleefully give away every bit of confidential, private, personal, financial, sexual, family, medical and any other manner of information without hestitation simply to get some free stuff. Keep your eyes open for my new service!

Robert A. Ficcaglia said...

I recently read 2 comments from the industry against 2 factor authentication. One was from Bruce Schneier on his Cryptobytes blog (link?), and another was from an OWASP presentation:

http://wittys.com/owasp/cscott-Stronger%20Web%20Authentication-v1.0.ppt#260,5,Two-factor Too Much

From my own personal experiences, 2 factor of any form (hardware, smart card, software smartcard, USB token, etc.) has never penetrated mass market. Maybe if the problem grows so bad that more people lose their ID than not, the public will tolerate the inconvenience and the market will bear the cost. But until that unlikely point, I would expect more and more "risk based" profiling. The downside? Well, of course the same swelling volume of personal information gathered in the name of security will be handy for marketing, insurance, mortgage, lending, and other purposes! Whose watching the data?? And we all know how easily that data itself can be stolen!

Hmmmm...it really makes me wonder.