Friday, November 02, 2007

burton group on OpenID

In the Security and Risk Management Strategies Blog, Bob Blakely asks appropriate questions in his post WHAT IS OPENID FOR?

Having some PKI background (I'm recovering....) I know these are the questions upon which identity systems can founder.

In particular:
4. What is the threat model?

What threats is OpenID designed to protect against? Accidental failures at a participating party? Malicious behavior by users? Malicious behavior by relying parties? Malicious behavior by OpenID providers? Wiretappers? Hackers attempting to penetrate a relying party? Hackers attempting to penetrate a provider? Hackers attempting to penetrate a client system? Cryptanalysts?

No comments: