[OpenID] Combining Google & Yahoo user experience research
Brandon Ramirez
brandon.s.ramirez at gmail.com
Mon Oct 20 03:38:03 UTC 2008
But the trust model is what makes that leap between an open id identifier
and an actual identity. When we identify a user, we don't really care about
the URI or XRI, we care about the identity of the remote entity. The
identifier is just a token. It means nothing without some assurance that it
means something.
An authentication protocol that does not actually handle the authentication
or trust is merely a validation technique. It validates that a given OpenID
identifier *is* valid. It makes no assurances as to who it is. As a
result, I concur that it's great for transactions of no value. Financial
transactions needs to actually authenticate a living person, and that is
impossible to do without an established trust model. So OpenID won't scale
to high-security environments. Was it really only designed to work for
blogs?
- Brandon
On Sun, Oct 19, 2008 at 1:53 PM, Martin Atkins <mart at degeneration.co.uk>wrote:
> That depends on what it is you're trusting. OpenID allows you to trust
> (man-in-the-middle attacks and phishing not withstanding) that a user "owns"
> a given URI.
>
> When OpenID talks about "identity" it is that URI it's talking about. This
> is why I tend to make a point of using the word "identifier" instead of
> "identity", since it makes it clearer what we're talking about. An OpenID
> identifier is similar to a social security number or credit card number in
> that it gives you a name to call something or someone by. The OpenID
> Authentiction protocol allows you to verify that someone is the rightful
> owner of that name, for some definition of "rightful".[1]
>
> Since users can self-issue identifiers, OpenID itself can't tell you
> anything else about a user other than that they "own" an identifier. When
> OpenID folks talk about building trust apon this, they generally mean using
> OpenID identifiers to identify parties in trust relationships.
>
> I hope this clears things up. I'd agree that some of the terminology that
> has been historically used around OpenID is a bit confusing. In particular,
> the text that originally said "OpenID is not a trust system. Trust requires
> identity first" would be better stated, I feel, as "OpenID is not a trust
> system. Trust systems are easier to build when you have globally-significant
> verifiable identifiers." Doesn't make for quite as catchy a soundbite,
> though.
>
> Cheers,
> Martin
>
> [1] There is, of course, no reason why someone who owns a URL can't allow
> everyone to be the "owner" of it per OpenID's definition. Likewise, though,
> there's no reason why I can't put some local user credentials on BugMeNot
> and create a "public" account that way.
>
> Brandon Ramirez wrote:
>
>> Can we have identity without trust? Can we have trust without identity?
>> In my mind, the two are interwoven. When a person identifies themselves,
>> we need some element of trust (if we're in person and we've met them before,
>> our memory provides that trust, if not, a photo ID , etc.). To rephrase,
>> I'd say that identity can technically exist without trust, but it's
>> meaningless to us humans.
>>
>> Trust can also not exist without identity. If you login to my web site, a
>> 3rd party vouches for your claim of identity. In order to trust this 3rd
>> party, I must know who they are. If it's a random entity, then why should I
>> trust them? It's like a driver's license. It's only a valid form of ID
>> because it's certified by the government, and we know who the different
>> government entities are (DMV, Department of State, etc.). If I were a
>> bouncer checking ID's, I'd be a bit suspicious if someone gave me a driver's
>> license issued by "State of MyFakeState". The same goes for virtual
>> identity. Why should I trust a random OP?
>>
>> - Brandon
>>
>> On Sat, Oct 18, 2008 at 12:23 AM, Chris Messina <chris.messina at gmail.com<mailto:
>> chris.messina at gmail.com>> wrote:
>>
>> I don't think that it's necessarily OpenID's job to solve these
>> specific problems. It's really an identity protocol; trust, veracity
>> and authenticity (in the human sense) are, by design (and by
>> extension, politics) purposely kept out of scope.
>>
>> Several of our companies, mine included, operate in the space
>> afforded by the adoption of a technology like OpenID, where you can
>> choose to have increasing levels of complexity, encryption, circuity
>> and sophistication to thwart those who would gain by attempting to
>> act as though they were you.
>>
>> Whether you verify that you're human by receiving a $1 transaction
>> or a 5 character text message is actually an opportunity for
>> innovation and research, and by promoting the adoption of OpenID as
>> a common conduit, we enable the pre-conditions for such an industry
>> to grow up with consumer-facing services (as opposed to enterprise).
>>
>> My girlfriend today commented that OpenID is too hard because it
>> requires too many steps. She wasn't talking about the authentication
>> dance -- and she didn't even mind typing in her blog address to sign
>> in (she's delegated to ClaimID.com). Instead her gripe was with the
>> form-filling process *immediately* following the sign in process
>> where, even though her OpenID provider has her name, email, bio and
>> a bunch of other choice tidbits, the relying party either didn't, or
>> didn't know how to, ask for it from her IdP. And since she had to
>> re-enter this data *yet* again, OpenID as a whole ended up looking bad.
>>
>> The point that I'm ultimately making here is that we could sit here
>> all day arguing over the need to secure one's identity and how to do
>> it, but for most people, that's self-referential bike shed painting.
>>
>> We need this stuff to just work and get out of the way (unless a
>> user chooses otherwise), and no user interface research is going to
>> be complete unless we also weigh the second order benefits of
>> time-saving and smoother flows that can come by enhancing the
>> standards-based identity technologies.
>>
>> To that end, I think we need to think beyond just authentication
>> here, and look at what happens immediately AFTER you've signed in
>> with OpenID. How can we make that experience intuitive, compelling,
>> desirable and motivating? How can we get it in people's heads that
>> the OpenID experience is the one that they WANT -- and the one that
>> they should DEMAND from their favorite web services?
>>
>> If we can't improve even the basic sign up and sign in flows from
>> where they are today, indeed, we will continue struggle with basic
>> issues like awareness and adoption.
>>
>> Chris
>>
>>
>> On Fri, Oct 17, 2008 at 8:50 PM, Peter Williams
>> <pwilliams at rapattoni.com <mailto:pwilliams at rapattoni.com>> wrote:
>>
>> This assurance/practice using email is essentially identical to
>> the infamous dollar auth transaction, against VisaNet. If one
>> can get an auth from VISA to allow the user a $1 credit, then
>> you can infer the VISA number is accurate, and in good standing.
>> It implies identity verification (and you can invoke fraud law
>> against any law breakers).
>>
>> This it itself only a variant of a 100year old FBI trick, to
>> induce someone under prosecution threat to commit formal mail
>> fraud ... so one can get obtain leverage (incarceration, anal
>> probing, association with the explicit violence of gangland
>> present in holding cells etc) during a plea bargain over
>> something much harder to prove.
>>
>>
>> Attack surfaces tend to be multi-level (and that's a pun).
>>
>>
>> -----Original Message-----
>> From: general-bounces at openid.net
>> <mailto:general-bounces at openid.net>
>> [mailto:general-bounces at openid.net
>> <mailto:general-bounces at openid.net>] On Behalf Of Allen Tom
>> Sent: Friday, October 17, 2008 8:35 PM
>> To: Dick Hardt; OpenID List
>> Subject: Re: [OpenID] Combining Google & Yahoo user experience
>> research
>>
>> Dick Hardt wrote:
>> >
>> > The UX of getting a verified email and then auto binding an
>> existing
>> > account is cleaner. It does mean that if I can prove I have
>> your email
>> > address, that I can take over your account. Seems to broaden the
>> > attack surface rather then narrow it.
>> >
>>
>> Hi Dick,
>>
>> Many sites allow an account's password to be reset by sending a
>> Reset
>> Token to an email address associated with the account. An
>> attacker who
>> gains access to the email address is able to reset the password,
>> and is
>> therefore able to take over the account. If the ability to reset a
>> password is equivalent to logging in, then the attack surface is
>> really
>> unchanged.
>>
>> Allen
>>
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net <mailto:general at openid.net>
>> http://openid.net/mailman/listinfo/general
>> _______________________________________________
>> general mailing list
>> general at openid.net <mailto:general at openid.net>
>> http://openid.net/mailman/listinfo/general
>>
>>
>>
>>
>> -- Chris Messina
>> Citizen-Participant &
>> Open Technology Advocate-at-Large
>> factoryjoe.com <http://factoryjoe.com> # diso-project.org
>> <http://diso-project.org>
>> citizenagency.com <http://citizenagency.com> # vidoop.com
>> <http://vidoop.com>
>> This email is: [ ] bloggable [X] ask first [ ] private
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net <mailto:general at openid.net>
>> http://openid.net/mailman/listinfo/general
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081019/f092f68f/attachment-0002.htm>
More information about the general
mailing list