There has been a bunch of discussion about OpenID 2.0 and how the latest draft does not address phishing at all.
First and foremost; phishing is an extremely important problem and one that is more than just OpenID-related. It just so happens that OpenID really exacerbates the problem because if you phish someones OpenID you could potentially have access to all of the sites they login to. I couldn’t agree more.
Alright, so let’s step back for a moment and ask ourselves; why hasn’t phishing been solved before this? Its been a huge problem for folks like PayPal and eBay. I think the main reason is that the problem is compartmentalized. Today, you might get one account (albeit a very important account) phished, but its just that one account you have to deal with. As such, no real definitive solutions have come up to completely (or mostly completely) solve the problem.
Enter OpenID 2.0. OpenID 2.0 is the culmination of lots of technology, ideas and people from many different schools of thought on identity. With pieces of Sxip, LID, XRI and others involved, we have a unique solution that is quickly gaining market and mind share. What’s really interesting is the firestorm that this has kicked up on the mailing list about phishing. Wow! This is fantastic! People are actually devoting some serious attention to and proposing some excellent solutions to phishing. If anything, the OpenID discussion might help move the phishing discussion (and thus OpenID) move forward.
We’ve got the proposal for Petnames/Passpet, SRP, the creation of an identity manager, the use of InfoCards with OpenID and a raft of others. This is great. The conversation is happening and solutions are being worked on. Wow. Talk about cool.
What’s most interesting to me is the nature of OpenID and why its succeeding. OpenID is the HTML to the world’s SGML identity solutions. Yes, SGML was infinitely superior to HTML but it was HTML that “won” out. Simple works and not only that simple wins. The barrier to adoption has to be low and the ability for the technology to proliferate from a bottoms-up standpoint is critical to for the success of a technology like OpenID.
I was going to write more on this but when I found Gabe Wachob’s post I just stopped and realized it couldn’t be said any better:
No, OpenID doesn’t solve all problems, and maybe today it only solves a very narrow set of problems with an acceptable risk profile. But to me, thats not the point - its the unleashing of creativity and the power to let developers and architects focus on what they are interested in and good at. Security and identity nuts can focus on authentication and let the social networking, wiki-touting, web 2.0-heads do what they do best! OpenID is an abstraction, a key middle ground for these folks to meet and leverage each other’s work - that OpenID is deployed for use in a fairly narrow set of use cases TODAY should not mean that it will not be very important in they very near future…
Gabe is dead on … OpenID makes the problem of phishing that much more important … the people on the general list and all of the great discussion in this space are leading to a solution. This is a solution that might not have been possible were it not for OpenID. If done correctly, the technologies and methods adopted for by OpenID providers could be a significant driver of the technology.
5 comments
Comments feed for this article
Trackback link
http://kveton.com/blog/2007/01/21/openid-20-and-phishing/trackback/
January 22, 2007 at 2:27 am
iansorbello.pip.verisignlabs.com
Scott,
You’ve linked to Kim Cameron’s Integrating OpenID and Infocard in this post.
When you look at how simple it could be for an OP to integrate with InfoCard (and understand the benefits), it sounds like a great synergy to me… What are your thoughts on this? Does JanRain have any plans to perhaps go down this path, i.e. supporting infocard logins @ myopenid?
Ian.
January 22, 2007 at 3:01 am
kveton
Hi Ian,
I’m loving the discussion happening on the general list … we’re looking to implement a lot of suggestions already made there.
As far as implementing InfoCard on MyOpenID we’re going to take a hard look. I’ve got a post on working on about this specifically that I’ll try to get out tomorrow.
We’re just not seeing any demand for InfoCard today. Not one user has asked for InfoCard support and nearly 60% of our visitors use Firefox as their browser.
I’m much more interested in the discussions happening with Mozilla on creating platform and provider independent tools built into Firefox for giving users better control of their digital identities.
More to come soon, thanks for the question … :-)
February 21, 2007 at 11:04 pm
Stefan Karpinski
Your link to the SRP project at Stanford is broken. The correct link is http://srp.stanford.edu/. This is an amazing remote password protocol, which has nearly ideal security properties. It should definitely be included in the OpenID standard. No, I have nothing to do with it, I just read the spec and found it to be an astonishingly brilliant protocol.
[stefan]
March 12, 2007 at 4:11 pm
David Magda
The issue with SRP is that there are patent issues involved. Standford has made their patents available, but there are others that may (or may not) overlap things, so that’s why it’s not taken off.
May 22, 2007 at 1:23 pm
Steffen
Patent issues are said to be resolved. There never was a definitive claim, the notification was never again mentioned by anyone since about 10 years. The TLS-integration of SRP is moving forward.