{"id":236,"date":"2007-09-20T11:12:04","date_gmt":"2007-09-20T18:12:04","guid":{"rendered":"http:\/\/www.laurenwood.org\/anyway\/archives\/2007\/09\/20\/suns-openid-idp-business-purpose\/"},"modified":"2007-09-30T11:32:23","modified_gmt":"2007-09-30T18:32:23","slug":"suns-openid-idp-business-purpose","status":"publish","type":"post","link":"https:\/\/www.laurenwood.org\/anyway\/2007\/09\/suns-openid-idp-business-purpose\/","title":{"rendered":"Sun\u2019s OpenID IdP: Business Purpose"},"content":{"rendered":"

Part of a series on Sun\u00ad\u2019s OpenID@Work ini\u00adti\u00adat\u00adive; see the intro\u00adduc\u00adtion<\/a> for more context.<\/p>\n

One of the inter\u00adest\u00ading things about secur\u00adity is that you can nev\u00ader make any\u00adthing 100% secure. You need to fig\u00adure out what the risks are, how likely they are to occur, and what the dam\u00adage will be if some\u00adthing bad does hap\u00adpen, and then make your plans accord\u00adingly. In most coun\u00adtries I\u2019ve lived in, that means put\u00adting locks on the house doors and using them; in Canada we also have a secur\u00adity alarm but none of the apart\u00adments I lived in in Ger\u00admany had one. Dif\u00adfer\u00adent coun\u00adtries, dif\u00adfer\u00adent risks (houses are often easi\u00ader to break into than apart\u00adments that aren\u2019t on the ground floor), and dif\u00adfer\u00adent plans for min\u00adim\u00adiz\u00ading risks.<\/p>\n

So it is with com\u00adputer sys\u00adtems, and with the Open\u00adID IdP<\/abbr> we put up. The amount of effort that is worth put\u00adting into secur\u00ading a sys\u00adtem depends on how import\u00adant the sys\u00adtem is, and what the expec\u00adted dam\u00adage is if some\u00adthing goes wrong. So in the form\u00adal secur\u00adity review of the sys\u00adtem, one of the first ques\u00adtions was, what\u2019s the pur\u00adpose of this sys\u00adtem? How does that pur\u00adpose bal\u00adance the risks of run\u00adning it? Any time you make inform\u00ada\u00adtion avail\u00adable via the web, there is a risk that the inform\u00ada\u00adtion will be stolen or com\u00adprom\u00adised so you need to know where that might hap\u00adpen, what the prob\u00adab\u00adil\u00adity is of it hap\u00adpen\u00ading, what the expec\u00adted dam\u00adage is, etc. <\/p>\n

The busi\u00adness pur\u00adpose for the Open\u00adID IdP was, and still is, to gain exper\u00adi\u00adence in using Open\u00adID, and to make open\u00adid iden\u00adti\u00adfi\u00aders avail\u00adable for Sun employ\u00adees on an exper\u00adi\u00adment\u00adal, opt-in basis. Sun employ\u00adees do not use Open\u00adID for any mis\u00adsion-crit\u00adic\u00adal or import\u00adant busi\u00adness applic\u00ada\u00adtions with\u00adin Sun. A couple of the reas\u00adons for that are that this is an exper\u00adi\u00adment\u00adal ser\u00advice, that is not guar\u00adan\u00adteed to be avail\u00adable 24\/7, and with lim\u00adited user sup\u00adport. Open\u00adID is also an untrus\u00adted pro\u00adtocol. It has some well-known sus\u00adcept\u00adib\u00adil\u00adit\u00adies to phish\u00ading and oth\u00ader attacks, only some of which can be mit\u00adig\u00adated by good pro\u00adgram\u00adming (at least in ver\u00adsion 1.1, the ver\u00adsion we deployed since 2.0 isn\u2019t fin\u00adished yet). So this ser\u00advice that we put up was expressly made avail\u00adable to Sun employ\u00adees for their per\u00adson\u00adal, not busi\u00adness use. The fact that it also guar\u00adan\u00adtees that a per\u00adson with an authen\u00adtic\u00adated openid.sun.com Open\u00adID is a Sun employ\u00adee is almost a side-effect. We thought that maybe some con\u00adsumer sites (or rely\u00ading parties) might offer spe\u00adcial deals for Sun employ\u00adees, or whitel\u00adist advant\u00adages, but we haven\u2019t seen any yet. Yes, we\u2019re on the whitel\u00adist at AOL<\/span><\/a>, but I\u2019m not sure what advant\u00adage that\u2019s going to bring.<\/p>\n

So, what are the res\u00adults of our exper\u00adi\u00adment? If you look at it in terms of what our little pro\u00adject group learned in terms of put\u00adting up an exper\u00adi\u00adment\u00adal test deploy\u00adment, it was great. I got to play around with OpenSSO code and learn more about load bal\u00adan\u00adcing than I did pre\u00advi\u00adously. (As a remind\u00ader, OpenSSO<\/a> is open source, as is the Open\u00adID exten\u00adsion<\/a> we used, so feel free to down\u00adload them and try them out.) We get a lot of quer\u00adies from people both with\u00adin and out\u00adside of Sun want\u00ading to know what Open\u00adID is about, how it works, what people use it for, all of which we can answer on the basis of \u201cwell, in our deploy\u00adment it looks like this\u201d. <\/p>\n

In terms of how many people actu\u00adally use the ser\u00advice each week? Well, that num\u00adber is pretty low. Under 35 accesses of some con\u00adsumer site (rely\u00ading party) per week, most weeks. I have my own the\u00ador\u00adies as to why this is the case; the most obvi\u00adous to me is that it\u2019s harder to use Open\u00adID than the altern\u00adat\u00adive username\/password approach. On all the sites I use that are Open\u00adID-enabled, I need to have an account already and then can use my open\u00adid iden\u00adti\u00adfi\u00ader as an altern\u00adat\u00adive means to log in. But if I already have a user\u00adname and pass\u00adword stored in my browser, it\u2019s only one click to use that, where\u00adas to use my open\u00adid iden\u00adti\u00adfi\u00ader, I have to click on the icon, fill in the open\u00adid iden\u00adti\u00adfi\u00ader, wait until it redir\u00adects, sign in at the Sun Open\u00adID IdP, wait until it redir\u00adects again\u2026 it just takes a lot longer. Being the para\u00adnoid type that I am, I have added my open\u00adid inform\u00ada\u00adtion to some of these sites so that if I for\u00adget my pass\u00adword, or lose it when I rein\u00adstall the OS<\/span>, I have a back-up login meth\u00adod, but that\u2019s not reas\u00adon enough to use my open\u00adid iden\u00adti\u00adfi\u00ader reg\u00adu\u00adlarly. In the absence of some spe\u00adcial deal for Sun employ\u00adees, or a site enabling login without regis\u00adtra\u00adtion, there just isn\u2019t enough motiv\u00ada\u00adtion for me to go through those extra steps.<\/p>\n

Get\u00adting back to the risk and secur\u00adity issue, we did make the sys\u00adtem secure for the things we thought really import\u00adant. We are using com\u00admer\u00adcial-grade soft\u00adware (OpenSSO is the open source vari\u00adation of Access Man\u00adager) to keep people\u2019s inform\u00ada\u00adtion secure, and users are not allowed to use the same user name or pass\u00adword that they use for Sun\u00ad\u2019s intern\u00adal sys\u00adtems, just in case they\u2019re stolen by some rogue site. We use HTTPS<\/span> for everything except the open\u00adid iden\u00adti\u00adfi\u00ader itself and the sys\u00adtem has been tested to ensure it responds appro\u00adpri\u00adately to a num\u00adber of expec\u00adted exploits. So users don\u2019t have to worry about their inform\u00ada\u00adtion being com\u00adprom\u00adised, as long as they don\u2019t give it away them\u00adselves. The one weak spot is that we use pass\u00adword-based authen\u00adtic\u00ada\u00adtion, which is more sus\u00adcept\u00adible to phish\u00ading than some oth\u00ader sys\u00adtems; more about the reas\u00adons for that in a later post.<\/p>\n","protected":false},"excerpt":{"rendered":"

Part of a series on Sun\u00ad\u2019s OpenID@Work ini\u00adti\u00adat\u00adive; see the intro\u00adduc\u00adtion for more con\u00adtext. One of the inter\u00adest\u00ading things about secur\u00adity is that you can nev\u00ader make any\u00adthing 100% secure. You need to fig\u00adure out what the risks are, how likely they are to occur, and what the dam\u00adage will be if some\u00adthing bad does \u2026 Con\u00adtin\u00adue read\u00ading \u201cSun\u2019s Open\u00adID IdP: Busi\u00adness Purpose\u201d<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":3,"activitypub_interaction_policy_quote":"","activitypub_status":"","footnotes":""},"categories":[13],"tags":[25,24],"class_list":["post-236","post","type-post","status-publish","format-standard","hentry","category-identity","tag-openid","tag-sunopenid"],"_links":{"self":[{"href":"https:\/\/www.laurenwood.org\/anyway\/wp-json\/wp\/v2\/posts\/236","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.laurenwood.org\/anyway\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.laurenwood.org\/anyway\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.laurenwood.org\/anyway\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.laurenwood.org\/anyway\/wp-json\/wp\/v2\/comments?post=236"}],"version-history":[{"count":0,"href":"https:\/\/www.laurenwood.org\/anyway\/wp-json\/wp\/v2\/posts\/236\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.laurenwood.org\/anyway\/wp-json\/wp\/v2\/media?parent=236"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.laurenwood.org\/anyway\/wp-json\/wp\/v2\/categories?post=236"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.laurenwood.org\/anyway\/wp-json\/wp\/v2\/tags?post=236"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}