[OpenID] How can an RP trust your OP?

Andrew Tomlinson adt at cannontomlinsonbyrne.com
Fri Jul 6 11:17:42 UTC 2007


On reflection I was thinking more about "one click buy a book" than banks. Getting banks using OpenID was maybe too much of a stretch but it is the same problem - how can I as a book seller reasonably believe one of my account holders wants to buy a book. Who is liable if they didn't but the user and OP (technically speaking) authenticated successfully? Currently with in-house authentication at the RP there is only them and the user involved and they have terms and conditions to cover that etc - introduce a third party and you need some form of additional contract.

SSO for proof of identity to every little e-commerce site is a big target market for OpenID isn't it? The public OpenID infrastructure will need some way to regulate rogue RP/OPs and have some sort of policy as to what the OP/RP legal contract is. Leaving it open with no guidance will end up with a decrease in value when people come to a RP which implements PAPE but their OP doesn't or their OP has been blacklisted by some unknown blacklist who doesn't have a dispute policy. Then everyone becomes an OP and only allows their own OpenIDs to access their resources.

I don't mean this to the exclusion of people using OpenID in private in whatever manner suits them - partner login, gated communities etc. The wider world will need some level of consistency of approach to maximise the usability of public identifiers on public websites.

Maybe I am overcomplicating things and it will all just fall into place naturally. 

Andrew

-----Original Message-----
From: Martin Paljak [mailto:martin at paljak.pri.ee] 
Sent: 06 July 2007 11:02
To: Andrew Tomlinson
Cc: general at openid.net
Subject: Re: [OpenID] How can an RP trust your OP?

On 06.07.2007, at 12:14, Andrew Tomlinson wrote:

> While people are all using OpenID for things that are low value (no  
> getting
> a bank loan based on simply OpenID authentication) ad-hoc trust
> relationships for OP/RP aren't an issue. People want to do better  
> so we come
> up with suggestions like:

What is the ratio of low value sites vs high value sites on the  
internet? Do you want, right now, for your bank to let you into their  
online system with your OpenID? If you consider your trust as a  
constant, how do you divide it currently between the low and high  
value sites you use ?


> Isn't there a way we can avoid going the same way? The last thing  
> we need is
> identifiers only being usable on the OP and their RP sister sites  
> because of
> a complicated mix of reputation rules and lists. I know it isn't  
> really the
> job of the protocol, but it is all part of the package.

I don't see any trends in that matter, other than 'get your openid'  
links at login pages that direct users to affiliate OpenID providers.  
I hope nobody wants to question the security of those providers. But  
your concern is valid.


> It seems obvious that a user must think that their OP is  
> trustworthy enough
> for what they want to use it for - it is their choice to make. The  
> problem I
> see is whether the RP can reasonably trust the OP to act as an
> authentication agent for a specific type of transaction -  
> especially where
> money is concerned. Also without SSL and mutually agreed  
> certification roots

I believe that one should forget the technology for a second and  
think about the problem with the user in the center: the RP should  
trust the user not the OP. It doesn't matter if the RP trusts the OP  
or not - say it does but if the user is rogue then everything above  
"authentication" is bogus and possibly false (registration info, and  
possibly credit card numbers etc) - the trust that RP puts into OP is  
worthless if the RP actually doesn't trust the user at all (and for a  
reason). I believe all other transactions (above login, that move  
money around) should be secured by other means. OpenID just gives the  
answer 'who you are?' but money transactions are usually  
authenticated and guarded by other means (credit card at your trusted  
bank, digital signatures etc).

  I see OpenID as a easy, portable, lightweight way of moving your  
'me' around the network and adding some auto-discovery and  
interoperability into the game. Me personally - I don't want my bank  
to use OpenID for *authentication* even though it could make use of  
my OpenID URL for some possible automation or data exchange purposes.

> then how does the RP know that the OP even is the OP that the user  
> trusts?
> If trusted SSL isn't required then why would a spoofer use it?
It is a problem. True. But maybe OpenID does not want to enter the  
super-trust market?


> How about adding "acceptable use" metadata into the XRDS about what  
> to use a
> specific OP for? E.g. "For this OP recheck trust before purchases and
> require SSL always" or "only trust an OP with this public key"? Of  
> course
> you would need to keep the XRDS on a trusted secure server... ;)

This is difficult to implement. It tries to 'help' or 'direct' RP-s  
in their trust evaluation but for it to work on infrastructure scale  
you need another infrastructure to manage the trust in this  
suggestion system. Endless trust loop.

I even believe that the same way one can't sell "complete security in  
a box" for €99 it is almost impossible to sell a uniform "trust in a  
box" solution. Trust is very personal and this applies to RP-s (the  
persons building the RP have their own trust metrics and policies and  
there's nothing you can do to change that).


-- 
Martin Paljak
http://martin.paljak.pri.ee






More information about the general mailing list