[OpenID] Live Icons for visual recognition of IDP logos

Peter Williams pwilliams at rapattoni.com
Thu Apr 2 02:19:12 UTC 2009

There seem 3 main technical choices, for _mainstream_ failure engineering addressing OPs (or suspension/cessation of assertion-minting privileges by the OP, under its terms of service).

RPs normally bind multiple openids to the account
RPs host a new vanity XRDS, delegating to both the introducing OP and to at least itself (as a fallback  OP)
RPs offer account recovery/restoration, based on some or other authentication scheme

My wife just had an unpleasant ebay experience, leading ebay to suspend her account after 3 years happy-ebaying (after some merchant made a (dubious in my independent view) allegation, but who played the trust game under ebay's reputation rules MUCH better than she did). Loss of the ebay auction privileges was no great shakes (Peter is less poor this month, than last). But ...Ah, sorry.! Now No more access to "your" photos on photoshare.com  for you , dear _former_ ebay-susbcriber.

From: Andrew Arnott [mailto:andrewarnott at gmail.com]
Sent: Wednesday, April 01, 2009 6:16 PM
To: Peter Williams
Cc: Allen Tom; general
Subject: Re: [OpenID] Live Icons for visual recognition of IDP logos

Honestly, Peter, the belly-up OP is what scares me the most about OpenID.  And I really like OpenID.  As large and well-written as myopenid.com<http://myopenid.com> seems to be, I'd never recommend my less-tech-savvy family use it over yahoo.com<http://yahoo.com> or google.com<http://google.com> as an OP because I'm not convinced myopenid.com<http://myopenid.com> will be around for 25 years.  That's why I use my "vanity" url.  It's not for vanity at all... it's for my own identity protection.  But the vanity url has to be at my own domain name so that no belly-up company can take down my identity. That obviously isn't a solution that will work for my friends and family.

One other problem with listing lots of popular OPs at an RP, and that is that a user will learn to rely on his OP being shown, and even if the OP doesn't go belly-up, if it disappears from an RP's list of logos, many users will not know how to login any more and assume they're locked out.  Bad scenario.

Personally, I'm uncomfortable with the idea that I'm logging in with OpenID in order to avoid a username/password and account recovery process at an RP, and yet that RP offers an email recovery for that account.  That feels insecure to me.  I want to separate my all-unlocking email address from all my other web accounts. If someone compromises my email address, I'd really rather they not gain access to all my web accounts at the same time.  So I don't want RPs to offer an account recovery option if I use OpenID to log in.  Let account recovery be an OP issue.

Now if the OP goes belly-up, or locks the user out of their account for any random reason, what recourse does the user have?  Well, in the real world we have government that can help us prove our identity to various parties if we lose our driver's license or something.  Perhaps we need a trusted entity like that for the Internet. (I can already hear many of you screaming).

An alternative to relying on an OP or running your own vanity URL is hosting your own identity on your own box.  Too complicated for the average joe?  Not so much if you use InfoCard.  InfoCard elegantly puts complete identity control in the user's hands, and without any risk of ever having it revoked by someone else.  There are a couple of problems with InfoCard as it stands today though that I see: infocards are not easily transportable to other computers (yet), and if they are lost without a backup, they're gone forever and so is your access to Internet sites.

Since I don't have the perfect solution for either side, DotNetOpenAuth's openid login popup will probably feature a couple of major OPs, an OpenID logo, and an InfoCard logo, allowing the user to pick what they're most comfortable with.

Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire

On Wed, Apr 1, 2009 at 5:50 PM, Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>> wrote:

Think about the message its sending.

Who would want to put their family photos on a site they may not be able to access tomorrow (when some OP goes belly-up)?

Surely an RP needs to assure its users that there exists the means to replace the OP? The dotcom bust taught us that lots of service  companies do infact go belly-up, in the usual boom/bust cycle.

Would be strange if the UCI mission of openid facilitates data and identity portability, but then the failure engineering of the overall service still means you can STILL easily lose access.

Presumably, the RP might retain  the users email address(es) from the sreg handoff, so it can send access-recovery URLs  granting the users access WITHOUT using any of registered OP(s) for the account.

From: general-bounces at openid.net<mailto:general-bounces at openid.net> [mailto:general-bounces at openid.net<mailto:general-bounces at openid.net>] On Behalf Of Andrew Arnott
Sent: Wednesday, April 01, 2009 5:39 PM
To: Allen Tom
Cc: general
Subject: Re: [OpenID] Live Icons for visual recognition of IDP logos

[Peter Williams]

whether they trust them to just not go belly-up and thereby locking out their users from their accounts at that RP, some trust should be implied by an RP listing OP logos.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090401/3262e2f0/attachment-0002.htm>

More information about the general mailing list