JISC OpenID Report

This morning I got the final copy of this report so I popped it straight up onto the JISC site, which means you can see it around lunchtime if you click here.

We feel this is an important report for the sector as it reviews a technology that we constantly get asked questions about and up to now we haven’t had authoritative answers for.  OpenID is, without a doubt, an important technology but up until now there hasn’t been a comprehensive review of how it could be used in the higher and further education sectors.  This has led to a lot of speculation and rhetoric with very strong advocates for the technology but, equally, very strong critics.  We’re hoping this report will inform the debate, particularly given the project has also developed a gateway between OpenID and the UK federation so those with OpenID credentials can access Shibbolised resources (subject to the resource provider being happy with providing access).

Overall, the conclusions were:
i) there is considerable interest in OpenID in the commercial market place, with players such as Google and Microsoft taking an active interest. However,
ii) all commercial players want to be OpenID providers, since this gives them some control over the users, but fewer want to be service providers since this increases their risks without any balancing rewards
iii) until we can get some level of assurance about the registration of users and their attributes with the OpenID providers, it won’t be possible to use OpenID for granting access to resources of any real value. In other words, without a trust infrastructure OpenID will remain only of limited use for public access type resources such as blogs, personal repositories, and wikis
iv) imposing such a trust infrastructure with barriers to the acquisition and use of OpenIDs may be seen to negate its open-access, user-centric advantages
v) OpenID has a number of security vulnerabilities that currently have not been addressed, but at least one of these is also present in the current UK federation.

The implications from this are:
i) Whilst OpenID does have its security vulnerabilities and weaknesses, some of these are also shared by Shibboleth as it is currently designed. Other technologies may subsequently solve these and therefore this could have implications for the UK federation.
ii) The UK federation as currently deployed has a significant shortcoming which is the readiness of IdPs to disclose the real-world identity of users to SPs (as distinct from providing opaque persistent identifiers to support simple customisation). This is not a technical shortcoming but an operational one. Whilst it is relatively easy to solve, until it is, it limits the applicability of Shibboleth to personalised and other services which need to know who the users are. OpenID does not suffer from this limitation and therefore there might be use for it in some scenarios where trust issues can be resolved.

And, finally, the recommendations are:
i) The UK academic community should keep track of both OpenID and CardSpace identity management systems as they evolve. There is clearly a great demand for a ubiquitous secure identity management system, but no consensus yet as to what this should be.
ii) Now that a publicly available OpenID gateway has been built, publicise its availability to the community and monitor its applications and usage. If usage becomes substantial, consider productising the service.
iii) Consider offering a more secure and more trustworthy gateway registration service for SPs that do not use, or use more than, the eduPersonPrincipalName attribute. This will allow them to use OpenIDs for authentication and a wider selection of eduPerson attributes for authorisation. (The current self-registration service is clearly open to abuse).

I’d welcome any comments on the report and/or gateway.  I think what we need to do is to keep the debate going and share experience to ensure that researchers and learners can get the most of OpenID.

7 thoughts on “JISC OpenID Report

  1. James Farnhill

    Considerable debate on this report can be found on the JISC-SHIBBOLETH list at the following URL (goes to a search for the subject line ‘OpenID Report’):

    http://bit.ly/37QYqz

    Worth a read if the above is of interest to you.

  2. Andrew Cormack

    I was interested that the gateway implementation was OpenID OP to Shib
    SP, rather than the other way around (Shib IdP to OpenID RP). One use
    case I have heard suggested for that reverse direction is where
    maintenance of a blog or other on-line resource is part of a student’s
    assessed work. If the university doesn’t want to provide a web 2.0
    server (or wants to let students choose where to host their work) then
    being able to assure itself that contributions of a particular OpenID
    handle were indeed from a particular student could be very useful. I
    don’t know whether that idea has gone away or whether it comes from a
    teaching, rather than IT support perspective?

    I would have been interested in a bit more detail on the perceived
    problems with organisations releasing ePPN. Appendix 3 doesn’t really
    provide a solution, as is trailed in the executive summary, and in fact
    I suspect that any solution would apply to both Shib and OpenID. That’s
    because as far as I can see this is actually a legal issue rather than
    an operational or technical one: an organisation releasing information
    that links the on-line and real-world identities of others is inevitably
    in a different legal position from a real-world person making (or not
    making!) that same link about themselves. They also give the recipient
    SP/RP a different class of information – ePPN/OpenID from a third party
    is likely to reliable (at least under UK federation Rules),
    self-declared ePPN/OpenID is unreliable. The protocol used to the carry
    the information is, pretty much, irrelevant (complaints about these
    statements should be sent to me at ;-)). An
    OpenID provider that did strong identity verification before disclosing
    non-opaque identifiers would be in the same legal position as a Shib IdP
    handing out ePPN. (if the identifiers were opaque it would look pretty
    much like ePTID both in function and law!)

    And there’s nothing in the UK federation Rules or the law that says an
    organisation can’t release ePPN *if* it’s necessary: the Rules point out
    that it rarely is, whereas the law imposes considerable additional
    burden on both IdP and SP if they do.

  3. Brian Kissel

    Representatives from the Shibboleth community attended the OpenID User Experience Summit at Yahoo several weeks ago. Would be interesting to hear feedback from that event from anyone who attended. Also, the OpenID Foundation would welcome participation, input, and recommendations from JISC on how OpenID could evolve to meet your needs.

  4. Andy Powell

    My overall thoughts are blogged at http://tinyurl.com/7lc2h5

    Slightly more detailed comments follow:

    5.1.1 misses the biggest advantage of OpenID, namely that it is relatively mainstream (at least in comparison to Shib, which appears education-only) and therefore has a significantly more diverse range of developer, usability and other eyes focusing on it.

    5.1.2.1 finds fault with OpenID for something which could/should be solved in a federation-like trust layer.

    As per my blog entry, I fundamentally disagree with the assertion in 5.1.2.2 that all users should or will see all OPs as being equal. Similarly, the tail end of that section compares OpenID with the UK Federation which is not comparing like with like.

    5.1.2.5 asserts that OpenID ‘typically’ uses HTTP – I’m not sure what basis is used for this. Claimid.com (for example) appears to always use HTTPS for OP/SP key exchange – other OPs seem to use HTTPS only when an HTTPS OpenID has been used. Not sure what is typical – or even if it makes sense to assert what is typical in the current climate?

    5.1.2.7, 5.1.2.8 and 5.1.2.9 do not strike me as explicitly “security weaknesses”, so I’m not sure why they appear in this section.

    Table 1 makes it clear that an inappropriate comparison is being made between OpenID and the UK Federation.

  5. James Farnhill

    Andy

    Apologies, firstly, that it’s taken me a while to post a reply on your comments; I managed to approve your comment just before I went on leave for Christmas.

    To reply to your points:

    5.1.1 Fair point that OpenID is more mainstream than Shib BUT currently there are numerous issuers but few relying parties of consequence. I think those eyes that are focusing on it would become significantly sharper and OpenID would become more mainstream if a few key relying parties fully supported OpenID;

    5.1.2.1 I think it’s fair to make readers aware of this. It’s then up to them as to how they solve it.

    5.1.2.2 What we’ve seen already from federation users is that they want something that just works. Both you and I, with a background in identity and access management can argue that there should be an element of social mediation of trust infrastructures but that’s not what we saw when the report was put together. In a way, I would like to see what you suggest in your blog entry happening re market forces as it would make life considerably easier for those who might not have a UK federation login!

    5.1.2.5 I can’t really comment on this as the authors of the report did the research and have a good grounding in security infrastructures. Isn’t this always, to some extent, going to be a matter of opinion?

    5.1.2.7 to 5.1.2.9 are useful, I think, to understand the whole picture of the pros and cons of OpenID. OK, they may not necessarily be ‘security weaknesses’ but I think that is splitting hairs.

    We’re quite often asked about why we don’t use a technology such as OpenID rather than the UK federation so I think it’s worth having this comparison in. It is also likely that most of the education community have used the UK federation so have something to compare OpenID against. My personal view is that OpenID can act as a complement to the federation so it is equally useful to see what the positives and negatives of each one are.

    And on that more positive note and to pick up on where your blog post is going, we are going to be looking at how we deal with the trust infrastructure in future work and it’s not just going to focus on OpenID but other promising technologies tied up with, as you point out, policies and practices that make them workable. What we’re looking at first is where the problems are then getting solutions that work so more will appear as we uncover those.

  6. Pingback: Confluence: VIVOweb: Enabling National Network of Scientists

  7. James Farnhill

    Whilst this looks like a useful link, it goes straight to a login screen so could you either provided a guest username and password or an unprotected link so others can read what is behind the login

Comments are closed.