Authentication Requires Trust
I was reading Aswath’s post on OpenID today and I realized the fundamental flaw with it: that anyone can create an authentication server to validate your request. While that’s fine and dandy from a lack of vendor lock-in point of view, from an authentication point of view, it’s horrible. What’s worse, is that there is no trust built into the model. Even the How This Works page at OpenID says it!
To me, authentication and identity go hand in hand. You can’t prove identity without authenticating it and you can’t use someone authentication with your identity. Try using someone else’s login and your password to get onto a website. Does it work? If it does, you both picked really bad passwords!
The closest analogy I can think of to OpenID is PGP. PGP is an encryption standard that relies on asymmetric encryption with public and private keys. Like with OpenID, there is no central certifying authority. However, PGP has a sort of “web of trust” model where participants in the system “sign” each others keys. The idea being, I trust that it’s Bob’s key that I received because Alice signed the key, and I trust Alice.
OpenID creates a situation where I could set up my own OpenID server and say “I assert that PhoneBoy is who he says he is.” In other words, I’m saying “I am who I say I am because I say so.” How do you know my word is good? At least PGP gives you a mechanism by which to make a decision about whether or not to trust a particular encryption key is valid. It’s certainly not perfect, but it’s better than no trust mechanism at all, which is exactly what OpenID has.
Am I overreacting to this or am I right?
Bookmark with: del.icio.us Digg it Furl iFeedReaders ma.gnolia Maple.nu RawSugar reddit Simpy StumbleUpon
Pingback by Authentication | directory-financial.info
Pingback by OpenID: A possible identity mechanism for VoIP? -- Alec Saunders .LOG
[...] Holes? Well, as Phoneboy pointed out, there is no trusted authority required in the spec. But, according to the website, Verisign can provide that. Moreover, because it’s open and distributed, why couldn’t your employer, the local police station, your phone company or your church vouch for you? [...]
Pingback by Blog by Kveton » OpenID + VoIP == Good?
[...] I happened upon a discussion about using OpenID for authenticating VoIP clients to one another that was sparked by this post posted by Martin Geddes. That was followed up by Aswath with a post describing how you could use OpenID to help assert your identity with VoIP calls. This was followed up by Phoneboy (not his real name, I *think* - heh) leading to a discussion about OpenID and its lack of trust. [...]
Pingback by The PhoneBoy Blog » Eating My Words on OpenID
[...] Between a private email from Aswath and other posts on OpenID, I have reconsidered my opinion on this. It may not be such a bad thing after all. [...]
Trackback by Telepocalypse
Shut up, Martin!…
There seems to be considerable public demand, so I’ll explain why no amount of technology is going to make an open voice network appear. I’ve written about open vs. closed networks before a bit. We don’t have a comprehensive theory……
Pingback by OpenID身份验证系统的可信性 at iF20:天真。天眞的我们必然幸福。
[...] 但是PhoneBoy对这种认证服务的随意性与自由化产生怀疑,他在文章”Authentication Requires Trust“里面提到如何保证这种认证服务的可信性问题。中国有句古话叫“王婆卖瓜,自卖自夸”,同样的对于自主架设的OpenID认证服务器也是如此。如何保证你的验证所提供的信息是真实的,OpenID的运行机制并没有对此做出验证。相反,在OpenID的运行机制说明中,关于信任问题是如何描述的: This is not a trust system. Trust requires identity first. [...]
Trackback by Blue Box: The VoIP Security Podcast
Blue Box #48: The Crystal Ball Edition - Top VoIP Security issues of 2006 and predictions for 2007, Skype worm that wasn’t, drive-by SPIT, OpenID, poking holes in firewalls, listener comments and more……
Synopsis: The Crystal Ball Edition - Top VoIP Security issues of 2006 and predictions for 2007, Skype worm that wasn’t, drive-by SPIT, OpenID for SIP authentication, poking holes in firewalls, listener comments and more… Welcome to Blue Box: The VoI…
Pingback by I Got BlueBoxed!
[...] A recent post of mine got mentioned on the Blue Box VoIP Security Podcast (specifically on Episode #48)! Hm… I might have to listen to start listening to this podcast. [...]
Pingback by chobas.com’s blog » I really don’t know what to title this one
[...] get it and how it’s the latest meme and the fashionable fad. And I was going to cite this’s guys post. But then he reneged on his stance and wrote this. There remains something that I don’t like [...]
Pingback by VoIP Caller ID Is On Its Way - VoIP News