WebApp Sec: Re: OpenID and the web

["Jeremiah Cornelius" <jeremiah () nur net>]

I think that OpenID is concerned more with the problem of "Federating" 
identity - which is corollary to SSO - but not necessarily the same Thing.
Microsoft tried web SSO with Passport.  It was viewed as proprietary, and 
requiring full trust in Microsoft.  The new Microsoft effort is around 
CardSpace, a WSsecurity - oriented framework and client API, extensible to 
consume SAML, etc.  This is a federation play, that can aggregate signon and 
authorizations.
That the OpenID tent seems big enough to accommodate CardSpace is indication 
that federation of ID is more than just SSO.
JC

--------------------------------------------------
From: "David Wall" <dwall () yozons com>
Sent: Thursday, March 27, 2008 8:30 AM
To: "Babu.N" <babun () intoto com>
Cc: "Eric Marden" <security () xentek net>; <webappsec () securityfocus com>
Subject: Re: OpenID and the web

> > Yes, it is difficult to configure it for supporting sites.
> >
> > But it does save us from registering at multiple webistes & remembering 
> > the passwords of each of them.
> Single sign-on only is truly useful if nearly all sites adopt it, 
> unfortunately.  After all, I have a Password Safe file that contains 225 
> entries now (many are business-related, but many are for the various 
> personal sites I'm registered at).  If 25 sites adopt a common SSO, I'd 
> still have 200 entries, meaning I'd still need/use Password Safe (or other 
> password manager, which is really extremely useful and easy to use and 
> allows me to effectively remember all passwords by only remembering one 
> good pass phrase that never is shared with anybody).
> If they all adopted, then I wouldn't need it, which would be awesome, but 
> seems unlikely to happen, and of course there are passwords I have to 
> "remember" that are not for web sites.
> Also, isn't entering the pseudo-random numbers subject to MITM with replay 
> attack?  I've not researched it much, but in general you need to ID 
> yourself and give the value, at which time the info used could be 
> replayed.
> Also, those in control the ID databases have to be trusted that their 
> employees/contractors/outsourcers won't somehow steal or otherwise lose 
> control of the data, something we see all the time with sensitive 
> financial and medical records.  If you break my password at one site today 
> (such as a data loss or other phishing scam, etc.), you don't get access 
> to all my accounts like you would through SSO.
> Don't get me wrong, I like SSO in general, but I think "universal SSO" is 
> extremely unlikely.  There are control issues, liability issues, risk 
> management issues and just plain old competitor cooperation issues.
> David
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire Methodologies & Tools for Web Application Security 
> Assessment With the rapid rise in the number and types of security 
> threats, web application security assessments should be considered a 
> crucial phase in the development of any web application. What methodology 
> should be followed? What tools can accelerate the assessment process? 
> Download this Whitepaper today!
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
> -------------------------------------------------------------------------
-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------