Thesis Project on Open ID with Martijn Oostdijk at Novay, Enschede

Even Microsoft looks like adopting OpenID Microsoft looks like adopting OpenID and the US goverment is building a trust framework to use OpenID for e-government services The result will undoubtably also incorporate aspects of the other two frameworks in the area: Information Card and SAML. These already collaborate with OpenID in here and written up in a more readable form here. Note that it is all built on top of open W3C standard, so that for the end user only requires a standard web brower.

There are some complaints and rumours about the security of OpenID, see for instance

• Ben Laurie on OpenID phishing
• Marco Slot on OpenID phishing
• Bookmarks to the rescue
• Tsyrklevich on OpenID security at Black Hat

A student of Mads Dam already used some tools on OpenID protocols and software, the authN protocol and a .NET implementation, to be precise:

Questions to be investigated include

• In how far and which situations is OpenID 2.x safe to use?
• Which design decisions in Information Card and SAML make these framework safer than OpenID? (if this is really the case)
• Which additional measures can or should Identity providers (IdPs), Relying Party (RPs) and end user take to improve security? Or can this only be done by changing the standard?

The intended result should be on overview of security issues and possible measures. Ideally things should be demonstratable, so there's scope for some practical work.

For more info, contact