[OpenID] openid query

George Fletcher gffletch at aol.com
Fri Feb 29 13:29:01 UTC 2008 

Martin Atkins wrote:
> Vipin Rathor wrote:
>   
>> Hi all,
>> I'm a newbie bitten by openid bug. I was just wondering that how a
>> website using openid service (let's say magnolia) trust a openid
>> service provider (say verisign)?
>> Is there any trust relationship that both need to have beforehand? If
>> not, then why not?
>>
>> Thanks in advance.
>>
>>     
>
> In most cases today no explicit, pre-existing trust relationship exists 
> between relying party and OpenID provider. The RP simply verifies that 
> the OP is authorized to make assertions about the given URL by 
> performing OpenID Discovery on that URL. An shared session key is 
> automatically created when necessary between OP and RP so that they can 
> communicate securely.
>
> An untrustworthy OP can, assuming that the RP is implemented correctly, 
> only make false assertions about URLs that declare it as their OP.
>
>   
That is very true, but I don't think it solves the problem. As long as 
the RP has no issues with allowing these "false assertions" then 
everything is fine. The problem arises when the resources being provided 
to the OpenID are "valuable" in some way such that the RP wants to 
protect against providing them to falsely asserted OpenIDs. Sure the RP 
can do it's own validation (e.g. email verification, cell phone 
verification, RP specific "security questions") but that doesn't prevent 
the creation of "bug-me-not" solutions. The RP would need it's own 
secret to verify the user and then it's acting as an IdP.

I sort of equate it to... A random person walks up to someone and asks 
for a dollar and their address; they'll pay the person back. As long as 
there aren't too many of these people the person might agree. However, 
if a random person walks up to somone and asks for 100 dollars and their 
address. They'll probably say no.

As Nat says, reputation can help significantly (provided you "trust" the 
reputation service ;) ). Or as others have mentioned, white lists. Of 
course, you could also design the RP with increasing levels of service 
based on the RP's "trust" of the customer. So the customer has to "earn 
some level of trust" in order to get access to increasingly valuable 
services. Whether customers want to wait through that process is another 
matter.

Thanks,
George

More information about the general mailing list