[OpenID] Benefits (and security model) of an interconnected network

SitG Admin sysadmin at shadowsinthegarden.com
Sun Aug 3 09:53:20 UTC 2008 

At 3:38 PM +0900 7/30/08, Nat Sakimura wrote:
>>    - communication from RP into the social network of the user
>    => I am still vague on what it will be like.
>       Could someone post a concrete example usecase, please?

Here are a couple:

1) Friend-list migration ;)
The user has a myopenid.com Identity, which they use to log into a 
photo site, a blog site, E-mail, and so on. While logged into the 
blog site, they add another user to their Friends list, and this blog 
site (as a Relying Party) contacts the photo site and the E-mail 
provider, and so on, to say "Hey, this other user is now on this 
user's Friends list." - whereupon the other RP's in that user's 
social network can move the second user (by their OpenID) onto the 
Friends list for their own services (such as private photos).

This is where I saw problems with the security model - what if a 
Relying Party provides such notification on its own behalf, or a 
hostile user breaks security at that RP and becomes marked as a 
Friend without going through proper channels? Also, this sort of 
cooperation between various Relying Parties providing a framework for 
the user's social network would remove granularity from the existing 
security model; as it is, users can grant permissions independently 
for each site they are using services on.

2) Sharing of information (Interests . . . )
I think this is worse than #1, actually; what if one RP says the user 
loves Duran Duran and another RP says the user *hates* Duran Duran?

Which one gets precedence? What if the user doesn't care one way or 
another and hasn't even heard of Duran Duran, much less been asked by 
*either* RP what their opinion is?

These are just a couple of concrete examples, and I think they 
illustrate the need for making this whole "benefit" idea less vague. 
We need to know what we're looking forward to here so we can 
anticipate the *serious* problems.

If these Relying Parties *are* exchanging information about the user, 
I'd hope to see explicitly identified sources, at the very least. If 
there were 3 sites and Site A knew not to trust information from site 
C, but was okay with accepting whatever site B said, but then Site B 
accepted information from site C and republished it as original data, 
site A would indirectly have accepted that information from site C.

-Shade

More information about the general mailing list