Archive for December, 2008

December 30, 2008
PAPE Specification Approved and Ready for Use

OpenID logoAs I just announced on, OpenID Provider Authentication Policy Extension 1.0 (PAPE) has just been just been approved as an OpenID specification. Deployment of PAPE will go a long way towards mitigating the phishing vulnerabilities of password-based OpenIDs by enabling OpenID Relying Parties to request that OpenID Providers employ phishing-resistant authentication methods when authenticating users and for OpenID Providers to inform Relying Parties whether this (and other) authentication policies were satisfied.

It’s tempting to say that the approval of the specification is the fulfillment of the promise of the OpenID/CardSpace collaboration for phishing-resistant authentication introduced by Bill Gates and Craig Mundie the RSA Security Conference last year, but it’s really just an enabling step. The true value of PAPE will come when it is widely deployed by security-conscious OpenID Relying Parties, and the use of phishing-resistant authentication methods, such as Information Cards and others, is widespread and commonplace. Let the deployments begin!

December 30, 2008
Systems Will Be Breached

Scott Merrill writes that:

At the 25th Chaos Communication Congress (CCC) today, researchers will reveal how they utilized a collision attack against the MD5 algorithm to create a rogue certificate authority.

As Scott says, this is pretty big news, so I encourage you to read his post and the paper describing the breach. He also writes that “affected CAs are switching to SHA-1”.

This episode immediately reminded me of a principle that Kim often espouses:

The way to design securely is to assume your system WILL be breached and create a design that mitigates potential damage.

I’ll leave it to others to debate whether CAs switching to SHA-1 is likely to be an effective mitigation in the long term and to discuss how long it will take before this particular breach has been worked around. But this sure provides (more) convincing evidence that designing systems with the assumption that they will be breached is essential to those systems’ robustness and long-term viability.

December 28, 2008
First OpenID Board Election

OpenID logoThe OpenID Foundation just completed its first election for community board seats. 17 candidates ran for 7 seats and 175 out of 217 eligible members voted in the election. My congratulations to Snorri Giorgetti, Nat Sakimura, Chris Messina, David Recordon, Eric Sachs, Scott Kveton, and Brian Kissel for their election as community board members. I look forward to serving on the board with them in January, along with my fellow corporate board members DeWitt Clinton, Tony Nadalin, Gary Krall, and Raj Mata. It looks like a great board!

December 9, 2008
Who is the Dick at my company?

Dick HardtDick Hardt, independent thinker, entrepreneur, Identity 2.0 leader, fellow OpenID board member, and friend, is Coming to America and joining Microsoft. Dick, I’m looking forward to working with you as a colleague and expect your perspectives to change what we do and make us better for it.

P.S. Lest any of you think I’m being rude, the title of this post is a tribute to Dick’s famous (infamous?) talk title “Who is the Dick on your site?”. :-)