security

Jonathan Daugherty cygnus at janrain.com
Wed Oct 25 16:49:58 UTC 2006 

# Well...you seem to be right, that this is not defined in the OpenID
# standard, which is really another bad thing and perhaps it's time to
# correct this now.

No, this is not a problem, because as Martin said, it is out of scope
for OpenID.  An IdP's security and authentication practices are indeed
of great importance.  But a read of the spec or even short
descriptions of what OpenID does will make it fairly clear that this
is not something we can legislate.

Essentially, your concern that IdPs could do sloppy things is not new,
and the response you will usually get is "Then sloppy IdPs will die
out, and user choices will naturally select for better IdPs."  And,
yes, that is somewhat controversial if you don't think users *can*
choose well.

# If the IPD implements a sloppy authentication facility (and data
# storage etc), than the relying parties are going to suffer from
# this.

It is the users that will suffer.  An RP is not liable for
IdP-facilitated compromise of an identity. :)

# The RP can't know, which are the good or bad IDP's and therefore a
# standard and rules have to be implement,which define exactly, what
# adequate protection of the facility - protection of the transport
# protocol and so on, is....

And even if you were to write up a list of fifty things that IdPs
ought to do to be Totally Secure, the RPs still won't know.  Users
might, if the documentation is accessible enough (both physically and
otherwise), but in the end this boils down to the user needing to
trust the IdP.  This is no less true of any SSL-enabled web site.

# Obviously a user URI and password alone isn't enough. I hear you
# saying...oh no...But lets look at this in practical terms: Today I
# run forum, which requires to provide a user name and password AND
# read a sequence of letters and numbers from an image. Otherwise the
# forum will be spamed by thousands of messages, and advertising of
# you know what...(Remember that Forums and Blogs are your target
# audience for now....)

You're right, and you've just outlined a good Best Practice for
identity providers.

# So if today such a spamer can get a URI from you, with just a user
# name and password, than they will run their robots and create every
# 10 minutes a new user and post to all the OpenID enabled forums and
# blogs.  No chance for the forum operator blocking this users quick
# enough....

I'd say new web application developers usually realize this, and use
captchas, etc.

# Because the URI seems to be public property,

It's not public property, but it is publicly viewable.

-- 
  Jonathan Daugherty
  JanRain, Inc.

More information about the general mailing list