[OpenID] OpenId downtime

Bajaj, Siddharth sbajaj at verisign.com
Mon Dec 10 21:51:56 UTC 2007 

It seems that there are a few different ways to address this issue. Though because you are making
login to your service dependent on an external web service (open id provider); there is going to be

that risk -

1) Build in redundancy into the Open ID provider
Uptime and availibility is one of the things on which an OpenID provider can differentiate from
other
OpenID providers.

What we could do is enable the Open ID provider to clearly communicate its SLA in
a clear mannner to the end-user as well as  relying party so that the end-user can make an informed

decision as well as the relying party can clearly request policies around SLA of the ope ID
provider.
(This is similar to the PAPE - which is around security policies)

Of course there are several techniques available today for open Id providers to build in redundant
and highly available services - this would be out of scope of this discussion.

2) Build in some redundancy into the protocol. There has been some discussion about this on the
mailing list. Again I'm not sure that it is possible to build in redundancy unless there is a smart
client
that is doing the failover if at the network layer.

3) Relying Party provides- one-time/limited access
Of course the relying party may want to have some way to allow a user limited access (one time
access codes and such); after verifying the user's identity. There are several techniques that
people
use including - sending one time access codes to registered phone numbers (SMS), email addresses,
challenge-response questions, etc. Most web-sites already have this functionality today to support
'forgotten password' scenarios.

4) User can use another OpenID provider - Relying party can let the user register multiple OpenIDs
i.e. aliases to access the service. Of course the issue here is additional onus on the user.

Note that of course the above approaches above are not mutually exclusive but they could be used
together.

I don't know if there is a OpenID Relying Party best-practices document...

Siddharth



>
> Message: 2
> Date: Thu, 6 Dec 2007 18:10:13 +0000
> From: " Andr? Lu?s " ?andreluis.pt at gmail.com?
> Subject: Re: [OpenID] OpenId downtime
> To: "Dominick Accattato" ?daccattato at gmail.com?
> Cc: general at openid.net
> Message-ID:
>         ?dc1a17860712061010k6d371e27j78cb2b9bf16df8c7 at mail.gmail.com?
> Content-Type: text/plain; charset=ISO-8859-1
>
> That's why I believe it's a good practice for each user to have more
> than one provider and the consumer services allow to register more
> than one OpenID address for each of their account.
>
> I'm new to the list, so pardon if any of this have been argued against.
>
> Cheers,
> Andr? Lu?s
>
> On Dec 6, 2007 5:47 PM, Dominick Accattato ?daccattato at gmail.com? wrote:
> ? What happens when an OpenId provider is down:
> ? http://www.alexanderinteractive.com/blog/2007/09/disadvantage-of-openid-and-web-services.html
> ?
> ? --
> ? Dominick Accattato, CTO
> ? Infrared5 Inc.
> ? www.infrared5.com
> ? _______________________________________________
> ? general mailing list
> ? general at openid.net
> ? http://openid.net/mailman/listinfo/general
> ?
> ?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20071210/d0114ec3/attachment-0002.htm>

More information about the general mailing list