[OpenID] How can an RP trust your OP?

Andrew Tomlinson adt at cannontomlinsonbyrne.com
Fri Jul 6 09:14:49 UTC 2007


Sent this using the wrong email address and hit a moderate - apologies if it
gets duped...

While people are all using OpenID for things that are low value (no getting
a bank loan based on simply OpenID authentication) ad-hoc trust
relationships for OP/RP aren't an issue. People want to do better so we come
up with suggestions like:

* Reputation based peering of OP/RP through 3rd party scoring
* Realtime OP/RP/User whitelists/blacklists
* Require an SSL Certificate with a reputable CA (maybe even EV)

These all sound very similar to existing anti-spam solutions to me... and we
know how well they work (and how many standards there are).

Isn't there a way we can avoid going the same way? The last thing we need is
identifiers only being usable on the OP and their RP sister sites because of
a complicated mix of reputation rules and lists. I know it isn't really the
job of the protocol, but it is all part of the package.

It seems obvious that a user must think that their OP is trustworthy enough
for what they want to use it for - it is their choice to make. The problem I
see is whether the RP can reasonably trust the OP to act as an
authentication agent for a specific type of transaction - especially where
money is concerned. Also without SSL and mutually agreed certification roots
then how does the RP know that the OP even is the OP that the user trusts?
If trusted SSL isn't required then why would a spoofer use it?

How about adding "acceptable use" metadata into the XRDS about what to use a
specific OP for? E.g. "For this OP recheck trust before purchases and
require SSL always" or "only trust an OP with this public key"? Of course
you would need to keep the XRDS on a trusted secure server... ;)

Just a thought,

Andrew




More information about the general mailing list