[OpenID] Trust + Security @ OpenID

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Sun Jul 8 19:36:01 UTC 2007


Hi Simon,

Simon Willison wrote:
> On 7/8/07, Brendan Taylor <whateley at gmail.com> wrote:
>   
>> I especially don't understand why the RP cares about "integrity of the
>> authentication process". Surely it should be the user's responsibility
>> to select an OP with the security they require.
>>
>> I think this is going in the wrong direction; I would be very
>> disappointed if OpenID lost its decentralization, and I'm not sure why
>> people think it needs to.
>>     
>
> I've been calling this the "outsourcing the security of our users"
> problem. Site owners are uncomfortable about relying on the security
> of the user's chosen OpenID provider - after all, if they pick a bad
> one then the site's own security measures are null and void.
>   
You are absolutely right on that! More than that, if everybody can be 
his own IDP (without any control) the fight against forum/blog spam is 
lost right from the start! And we are talking about the lowest level of 
entry for OpenID!!!!!

You all seem to have forgotten something and please open your mind a 
little bit and listen. Serious adoption of OpenID in masses will start 
only if the web site operators trusts it! Without it, there can be 
millions of users who own a OpenID URI, but nowhere they can use them.
 From the web sites operators point of view (as the relying party), if 
OpenID doesn't provide anything better than what they have currently, 
why should they bother? They don't care about the convenience of the 
user, but of their own! And OpenID will go the same path the (in)famous 
Passport of Microsoft went...albeit for different reasons.
> My counter-argument is that if the site has a "I've forgotten my
> password" feature that uses e-mail to verify the user, they're already
> outsourcing the security of their users to that user's chosen e-mail
> provider, and OpenID changes nothing.
>   
Right! But if OpenID is nothing better than mail servers, with the very 
same huge problems of control, than nothing and nobody is going to 
bother with it! Want to manage more black-lists, white-list, anti-spam 
tools? Go ahead, your login facility (speak forum, blog etc) needs it. ;-)
> That argument holds up well for many sites, but there are some sites
> (such as banks) that don't provide an e-mail recovery service,
> presumably precisely because they don't want to rely on the security
> of the user's email service. In those cases, whitelisting OpenID
> providers based on their security measures seems like a reasonable
> option. In fact, it's a great use case for OpenID - if someone has
> gone through the effort to do highly secure, phishing resistant
> two-factor authentication suitable for use with online banking, OpenID
> is a great way for that achievement to be re-used by other sites that
> need the same level of security.
OpenID does have a huge potential, but if you can't make the case for 
low-level sites, forget about banks. I really try to find a common 
ground in order to start of some control mechanism. Nobody is forced to 
use, but it will be an option available to sites operators!

-- 
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Jabber:      startcom at startcom.org
Phone:       +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070708/dbd23525/attachment-0002.htm>


More information about the general mailing list