[OpenID] Trust + Security @ OpenID
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Sun Jul 8 19:36:01 UTC 2007
Hi Simon,
Simon Willison wrote:
> On 7/8/07, Brendan Taylor <whateley at gmail.com> wrote:
>
>> I especially don't understand why the RP cares about "integrity of the
>> authentication process". Surely it should be the user's responsibility
>> to select an OP with the security they require.
>>
>> I think this is going in the wrong direction; I would be very
>> disappointed if OpenID lost its decentralization, and I'm not sure why
>> people think it needs to.
>>
>
> I've been calling this the "outsourcing the security of our users"
> problem. Site owners are uncomfortable about relying on the security
> of the user's chosen OpenID provider - after all, if they pick a bad
> one then the site's own security measures are null and void.
>
You are absolutely right on that! More than that, if everybody can be
his own IDP (without any control) the fight against forum/blog spam is
lost right from the start! And we are talking about the lowest level of
entry for OpenID!!!!!
You all seem to have forgotten something and please open your mind a
little bit and listen. Serious adoption of OpenID in masses will start
only if the web site operators trusts it! Without it, there can be
millions of users who own a OpenID URI, but nowhere they can use them.
From the web sites operators point of view (as the relying party), if
OpenID doesn't provide anything better than what they have currently,
why should they bother? They don't care about the convenience of the
user, but of their own! And OpenID will go the same path the (in)famous
Passport of Microsoft went...albeit for different reasons.
> My counter-argument is that if the site has a "I've forgotten my
> password" feature that uses e-mail to verify the user, they're already
> outsourcing the security of their users to that user's chosen e-mail
> provider, and OpenID changes nothing.
>
Right! But if OpenID is nothing better than mail servers, with the very
same huge problems of control, than nothing and nobody is going to
bother with it! Want to manage more black-lists, white-list, anti-spam
tools? Go ahead, your login facility (speak forum, blog etc) needs it. ;-)
> That argument holds up well for many sites, but there are some sites
> (such as banks) that don't provide an e-mail recovery service,
> presumably precisely because they don't want to rely on the security
> of the user's email service. In those cases, whitelisting OpenID
> providers based on their security measures seems like a reasonable
> option. In fact, it's a great use case for OpenID - if someone has
> gone through the effort to do highly secure, phishing resistant
> two-factor authentication suitable for use with online banking, OpenID
> is a great way for that achievement to be re-used by other sites that
> need the same level of security.
OpenID does have a huge potential, but if you can't make the case for
low-level sites, forget about banks. I really try to find a common
ground in order to start of some control mechanism. Nobody is forced to
use, but it will be an option available to sites operators!
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: startcom at startcom.org
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070708/dbd23525/attachment-0002.htm>
More information about the general
mailing list