[OpenID] How can an RP trust your OP?

[Martin Paljak]

On 06.07.2007, at 12:14, Andrew Tomlinson wrote:

> While people are all using OpenID for things that are low value (no  
> getting
> a bank loan based on simply OpenID authentication) ad-hoc trust
> relationships for OP/RP aren't an issue. People want to do better  
> so we come
> up with suggestions like:

What is the ratio of low value sites vs high value sites on the  
internet? Do you want, right now, for your bank to let you into their  
online system with your OpenID? If you consider your trust as a  
constant, how do you divide it currently between the low and high  
value sites you use ?


> Isn't there a way we can avoid going the same way? The last thing  
> we need is
> identifiers only being usable on the OP and their RP sister sites  
> because of
> a complicated mix of reputation rules and lists. I know it isn't  
> really the
> job of the protocol, but it is all part of the package.

I don't see any trends in that matter, other than 'get your openid'  
links at login pages that direct users to affiliate OpenID providers.  
I hope nobody wants to question the security of those providers. But  
your concern is valid.


> It seems obvious that a user must think that their OP is  
> trustworthy enough
> for what they want to use it for - it is their choice to make. The  
> problem I
> see is whether the RP can reasonably trust the OP to act as an
> authentication agent for a specific type of transaction -  
> especially where
> money is concerned. Also without SSL and mutually agreed  
> certification roots

I believe that one should forget the technology for a second and  
think about the problem with the user in the center: the RP should  
trust the user not the OP. It doesn't matter if the RP trusts the OP  
or not - say it does but if the user is rogue then everything above  
"authentication" is bogus and possibly false (registration info, and  
possibly credit card numbers etc) - the trust that RP puts into OP is  
worthless if the RP actually doesn't trust the user at all (and for a  
reason). I believe all other transactions (above login, that move  
money around) should be secured by other means. OpenID just gives the  
answer 'who you are?' but money transactions are usually  
authenticated and guarded by other means (credit card at your trusted  
bank, digital signatures etc).

  I see OpenID as a easy, portable, lightweight way of moving your  
'me' around the network and adding some auto-discovery and  
interoperability into the game. Me personally - I don't want my bank  
to use OpenID for *authentication* even though it could make use of  
my OpenID URL for some possible automation or data exchange purposes.

> then how does the RP know that the OP even is the OP that the user  
> trusts?
> If trusted SSL isn't required then why would a spoofer use it?
It is a problem. True. But maybe OpenID does not want to enter the  
super-trust market?


> How about adding "acceptable use" metadata into the XRDS about what  
> to use a
> specific OP for? E.g. "For this OP recheck trust before purchases and
> require SSL always" or "only trust an OP with this public key"? Of  
> course
> you would need to keep the XRDS on a trusted secure server... ;)

This is difficult to implement. It tries to 'help' or 'direct' RP-s  
in their trust evaluation but for it to work on infrastructure scale  
you need another infrastructure to manage the trust in this  
suggestion system. Endless trust loop.

I even believe that the same way one can't sell "complete security in  
a box" for €99 it is almost impossible to sell a uniform "trust in a  
box" solution. Trust is very personal and this applies to RP-s (the  
persons building the RP have their own trust metrics and policies and  
there's nothing you can do to change that).


-- 
Martin Paljak
http://martin.paljak.pri.ee