[OpenID] Durability of authorized sessions

Allen Tom openid at allentom.com
Wed Nov 28 19:45:52 UTC 2007 

Hi Tony,

I was referring to the session that the user has with their OP. 
Hypothetically, consumer oriented OPs may issue long lived sessions that 
persist across browser restarts and IP address changes. Users of these 
OPs may login to OpenID RPs without having to reauthenticate with their 
OP. In scenarios like this, the OP may very well be aware that its 
OpenIDs are not sufficient to authorize high value transactions, in 
particular, the user may have been using a shared computer and forgot to 
logout, or the users credentials may have been stolen via an XSS or MITM 
attack.

These security shortcomings can be addressed by using short lived 
sessions that do not persist across browser restarts, and also by tying 
the credentials to a particular IP address, however there's a usability 
cost in that users will need to frequently enter their password.

Again, it would be very nice to have a standard mechanism for an OP to 
indicate that its OpenIDs are not suitable for high value transactions. 
If there is not a mechanism to do this, then OPs may need to blacklist 
these RPs on a case by case basis, which is certainly not a scalable or 
desirable solution. Alternatively, OPs may need to have a whilelist of 
acceptable RPs which is also contrary to the spirit of OpenID.

Allen


Tony Locke wrote:
> Allen Tom wrote:
>
>   
>> [...] authorizing financial transactions generally requires that
>> the credentials be relatively short lived (like an hour) and be tied to
>> a specific IP address. In contrast, consumer oriented websites generally
>> tend to issue long lived credentials that are not bound to an IP address
>> (as consumers tend to roam and get re-IPed fairly often).  A
>> consumer-focused OpenID Provider may issue long lived credentials that
>> persist across browser sessions and IP address changes so that their
>> users don't need to type their password very often.
>>     
>
> As I understand it, with OpenId it's the RP and not the Provider that
> decides how long the original authentication lasts, and it's also the
> RP that decides what constitutes a session (ie, whether a session is
> broken by a change of IP address). I guess most RPs define a session
> with a cookie that persists until you close the browser. More
> stringent RPs could demand re-authentication every 30 minutes, say,
> and on each change of IP, and perhaps if 10 minutes goes by without
> any interaction.
>
> Regards,
>
> Tony.
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20071128/1dfbb329/attachment-0002.htm>

More information about the general mailing list