12

I'm wondering which security model is behind the OpenID. Is it anything like kerberos?

AviD
  • 72,138
  • 22
  • 136
  • 218
  • 1
    Kerberos is not a "security model", it is an authentication protocol. "Security model" usually means something different... actually by itself it is pretty vague, as it can mean different things depending on context. – AviD Jul 11 '11 at 22:55

2 Answers2

15

The question is very broad and it is hard to guess what you are actually asking. You can find the specification at http://openid.net/developers/specs/

Kerberos is typically used in a controlled environment. In that environment there are known and trusted Kerberos servers ("key distribution center"). The Kerberos server authenticates the service provider to the client and the client to the service provider. Therefore the Kerberos server must know of all clients and all service providers.

OpenID, however, is designed for an open environment such as the Internet at large. That is any service provider (website) can work together with any openid-server ("identity provider") to authenticate clients.

Differences between Kerberos and OpenID

As Kerberos is used in controlled environments, logging in to services is totally transparent after you logged into your computer. On the Internet, however, you have to pick your openid-provider, and then login to it. These are two additional steps. Furthermore the redirect to your openid-provider may end up at a phishing site instead, if the service provider is malicious.

The openid-server only knows about its users. Unlike Kerberos, OpenID providers cannot authenticate service-providers. Many openid-provider therefore ask the user to confirm that they want to login to a specific website before passing identity information. In a controlled environment such decisions are done by the administrators instead (assuming that they have a better understanding about security than users). This confirmation can be saved for each domain. Unlike Kerberos, however, there is no authentication involved. If the ownership of a domain changes for legit or illegit reasons, this is not noticed.

Conclusion

OpenID has a number of issues that Kerberos does not have. Kerberos, however, does not work at all in an open environment, so it is no alternative for the common use cases of OpenID.

Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
3

I understand that OAuth (which is the protocol that OpenID implements) is a direct descendant of Kerberos. Have a look at this discussion for a pointer to the spec.

Pete Wilson
  • 131
  • 2
  • 1
    OAuth and OpenID are separate but complementary protocols, which are sometimes used together. You can use actual Kerberos signatures as one option in the new OAuth2. And otherwise they do have similarities, as described more at [How does OAuth compare with Kerberos?](http://getsatisfaction.com/oauth/topics/how_does_oauth_compare_with_kerberos) – nealmcb Jul 11 '11 at 21:18