[OpenID] Combining Google & Yahoo user experience research

Martin Atkins mart at degeneration.co.uk
Tue Oct 21 00:49:23 UTC 2008 

SitG Admin wrote:
>> A more realistic situation for your argument would be if *your* OP had 
>> a security flaw that allowed someone to access your account *as you* 
>> and gain access to all operations that only you ought to be able to 
>> do. In this case it could be argued that the bank is culpable; that 
>> would certainly make for an interesting court case. Logically though, 
>> it should be your OP that catches the liability in this case, assuming 
>> that they didn't disclaim responsibility in their terms of service as 
>> Yahoo! currently does.
> 
> Or you for insisting on using an IDP that wasn't on the RP's "trusted" 
> list; this was my suggestion, though I have no idea how feasible it 
> would be ;)
> 

I'd say that your mistake was using an OP (IdP) that doesn't accept 
liability for high-value transactions, not using an OP that isn't on the 
trusted list. Of course, the RP could recommend to users some OPs it 
considers to be secure and/or which accept liability, but that might 
well make their liability situation *worse* if it turns out that one of 
the recommended OPs has a security flaw which allows fraud to occur, or 
if the RP inadvertently misrepresents the guarantee offered by the OP.

I'd say RP's best option from a liability standpoint is to make it very 
clear at the outset that it is the OP rather than the RP providing 
security here, so it's important to pick a good OP. Now, you could argue 
(and I would agree) that most users aren't equipped to make this 
decision. I think this is the main problem here.

A compromise would be to say "we've struck business relationships with 
these providers and between the two of us we'll compensate you if fraud 
occurs. If you want to use another provider then you're welcome to go 
right ahead, but you should contact your provider for advice about 
liability guarantees, SLAs and so on." This would presumably manifest 
itself as a scary message that appears only if the user attempts to use 
an identifier from a non-approved OP, so it wouldn't get in the way of 
users using approved providers.

(Of course, I'm neither a lawyer, a businessman nor a user interaction 
expert. Therefore all of my thoughts on this subject should be taken as 
brainstorming rather than advice.)

More information about the general mailing list