[OpenID] Trust + Security @ OpenID

Hans Granqvist hans at youbico.com
Sun Jul 8 17:33:36 UTC 2007


> I've been calling this the "outsourcing the security of our users"
> problem. Site owners are uncomfortable about relying on the security
> of the user's chosen OpenID provider - after all, if they pick a bad
> one then the site's own security measures are null and void.

That's only applicable to the site's security measures relating to
the origin and identification of the user, not its security against
webapp attacks, right?

>
> My counter-argument is that if the site has a "I've forgotten my
> password" feature that uses e-mail to verify the user, they're already
> outsourcing the security of their users to that user's chosen e-mail
> provider, and OpenID changes nothing.

Emails can be signed and encrypted and refer back to click-thru
pages with user-set re-activation questions (a la "What was the name
of your first dog?"). Is that different from OpenID scenarios?

>
> That argument holds up well for many sites, but there are some sites
> (such as banks) that don't provide an e-mail recovery service,
> presumably precisely because they don't want to rely on the security
> of the user's email service.

I am sure the assumption is true, but would be curious to see
the whole reasoning behind this reluctance of banks to use
email -- anyone know?

> In those cases, whitelisting OpenID
> providers based on their security measures seems like a reasonable
> option. In fact, it's a great use case for OpenID - if someone has
> gone through the effort to do highly secure, phishing resistant

Who decides the quality of the authn mechanism? "highly secure"
and "phishing resistant" are fluid terms.

> two-factor authentication suitable for use with online banking, OpenID
> is a great way for that achievement to be re-used by other sites that
> need the same level of security.

Interesting.

How would you be able to depend on the OP actually doing what it
advertises it's doing? Where would the liabilities lie if the OP in effect
used another mechanism and "something bad" happens?

It seems impossible to build OpenID OP/RP communities based on declared
intentions, and that any white listing on RP's part would have to be at RP's
discretion based on past OP performance.

One way could be to let the OP <--> RP trust relations be described in a
simple web of trust style, perhaps via some variant of cryptoless assertions
as described in
<http://commented.org/blog/2007/2/10/intro-to-crypto-less-assertions.html>

-Hans



More information about the general mailing list