[OpenID] Combining Google & Yahoo user experience research
Brandon Ramirez
brandon.s.ramirez at gmail.com
Mon Oct 20 19:46:45 UTC 2008
Simple. Suppose I choose an OP that allows for 1 character
passwords. The RP has no way of knowing that. By supporting openid
and arbitrary OP's, they assume the risk of a security compromise /
identity theft. They would be wise to just not allow it.
I care who my bank trusts. If my money gets stolen because somebody
setup their own OP that requires no authentication (yes, security
through obscurity) and some attacker gained enough entry to the bank's
web app that they exploited a security flaw (let's face it... Most
security is perimeter-based and becomes less stringid post-login), I'd
be VERY angry with my bank.
Heck, I' be upset if that happened to my facebook account or my blog.
By allowing a bank, content provider, or anyone else access to my
money, personal information, even photos, I trust them to make wise
decisions about how to protect it. Thus, I trust whomever they trust.
- Brandon
Sent from my iPhone
On Oct 20, 2008, at 3:14 PM, SitG Admin
<sysadmin at shadowsinthegarden.com> wrote:
>> Well if the bank can't trust your openid provider (which from their
>> perspective is an arbitrary OP), then why should they assume the risk
>> of supporting it?
>
> Is there a risk from supporting it?
>
>> The bank has to protect itself and frankly *they* don't care who you
>> trust.
>
> Do we care who the bank trusts?
>
> What if the bank were to say "If you use *our* (bank-trusted) IDP
> *we* assume liability, but if you want to use any other than our
> liability is limited."? (Perhaps coupled with a limit on
> transactions conducted with that "less bank-trusted" IDP?)
>
> -Shade
More information about the general
mailing list