My Photo

« Modernizing the Air Operations Center - Robert Gates Wouldn't Be Happy | Main | Farewell LTG Sorenson »

October 24, 2010


Robert Vietmeyer

The issue preventing DoD organizations from issuing/relying on OpenID services is the underlying vulnerabilities in password based authentication. It's obviously secure enough for some activities (I just used OpenID to authenticate myself to typepad to enter this comment. But, here the concern is to ensure that I'm not a bot rather than to ensure that I'm actually who I claim to be. OpenID and other ID federation schemes are just to vulnerable to be used safely for access to sensitive information, financial transactions, or other activities where assured identity is required. The trade off is convenience vs security.


Hey Rob, you are right. But I none of the examples I gave require that kind of sensitivity to security issues. I'm not suggesting it be used inside the enterprise to access sensitive information. I'm suggesting that it be offered as a service to sites outside the enterprise who can then offer simple enhanced services based on a reasonable assurance that the user is in the military. I would not, for example, except a bank to accept it as proof of identity.

The comments to this entry are closed.