Apr 24, 2011

Remember Hanlon's razor

I've been seeing a lot of panic about this Internet ID stuff lately, and a quick read through the comments sections of most of the articles on the subject reveals an ill-informed and paranoid public, not helped by the tone (and outright misinformation) of some of the articles in question.

Let's just try to get a brief run-down of what's going on here shall we.

From what NIST have said, it basically sounds like OpenID with cryptographic tokens. Anyone who uses their Yahoo, Google, Live, Facebook, or Twitter accounts to sign into other services already does this.
The only difference is that this will (hopefully) be vetted to ensure that it's secure enough to use for things like taxes and login to government systems that might contain your personal information.

This second part is important, so listen carefully: It's voluntary.
I imagine online banking sites would implement it for ease-of-use and security purposes, but I doubt other sites like YouTube would bother with it unless everyone was using it and wanted it for convenience. And even if a site like YouTube or Facebook did allow login under this system, they're not going to force people to use it.

What I'm wondering about is mostly the technology behind it. The information on their site mentions that you can decide what information a site sees about you, but also says that your identity provider will not be able to see how you use your token. That means that the information must be encoded in a series of encrypted and signed tokens that can be passed to a site, then the site needs to be able to verify these by checking they are signed with some sort of hash of the main identity token. Plus, your tokens have to be signed by a provider to prove it's authenticity, and that brings into play a lot of the same problems that we have with the CA system for secure websites. Not to mention that it'll get a little ungainly.

They also haven't mentioned anything about token revocation. If someone steals your keyfob, or you lose your cellphone (or get malware on it, as is increasingly common on cellphone nowadays) how does one go about revoking their certificate? At least some sort of contact with the identity provider is required to check a revocation list.

I almost suspect that someone who doesn't know much about cryptographic technology came up with this and just said "We'll come up with what we want it to do and let the eggheads worry about how to do it", not realizing that some of the things they said it should do just aren't very practical.

In usual fashion, they may simply pass the buck to the individual companies and let them decide how to authenticate people, and prove identities. The result of something like that would likely be a laughably insecure mashup of different technologies and standards just barely working together.

In conclusion, it will be interesting to see how this shapes up, and to see how they solve some of the issues I mentioned (I'm betting on some of the stated features being dropped during the specification drafting phase).
I'll post an analysis here when a spec document is released.

No comments:

Post a Comment

This had better be good...