[cap-talk] Report on the Internet Identity Workshop.
Karp, Alan H
alan.karp at hp.com
Fri Nov 6 13:45:12 PST 2009
I just returned from the Internet Identity Workshop (IIW), which has a lot of attendees from the OpenID, OAuth, and CardSpace communities. Notes of the sessions will be posted at http://www.internetidentityworkshop.com/ shortly.
The first session I attended was on security issues for OpenID. The list of vulnerabilities was long, and the list of possible fixes was much shorter. The good news is that many of the vulnerabilities come from poor implementations due to imprecision in the spec, and others come from the need to maintain backward compatibility, e.g., the current practice of using http for OpenID URLs rather than HTTPS. Unfortunately, there are other vulnerabilities that don't appear to have easy solutions.
The most interesting session I attended reported on work being done in the OAuth working group of IETF, http://www.ietf.org/dyn/wg/charter/oauth-charter.html. Originally called "Simple OAuth", WRAP (Web Resource Authorization Protocol) is being developed to address weaknesses in the authorization process in the original OAuth protocol. WRAP is supported by Microsoft, Google, and Yahoo. The key idea of WRAP is to separate the authorizing component from the resource provider. Basically, a client authenticates to the authorization service and gets an authorization token, which is submitted to the resource along with the request, a ZBAC pattern. There is a discussion group at http://groups.google.com/group/oauth-WRAP-WG.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list