[OpenID] [security] Re: generation fragments

SitG Admin sysadmin at shadowsinthegarden.com
Fri Sep 5 00:50:00 UTC 2008 

>As it currently stands, if a user is hosting his own identifier, 
>whether by delegation or by running his own OP, it becomes his 
>responsiblity to protect that identifier from being compromised by 
>others.

And we all know how tech-savvy and security-aware the typical user is ;)

One of the selling (adoption) points for OpenID has been how easily 
you can set it up, just adding one or two headers to a page. If we 
have to add a caveat to this like "But you'd better be tech-savvy 
enough to understand and address these security risks or you'll be 
leaving yourself open to Identity theft and, as far as the rest of us 
are concerned, it'll be all your fault." we might be better off just 
not saying that. But if the typical (*not* tech-savvy) user has to 
rely on large-scale Identity providers to securely host their URI, 
the decentralization factor loses credibility, since those large 
sites effectively *own* all OpenID's between them, and only a small 
number of people have anywhere to go besides another of the large 
sites.

Donning my Relying Party hat for a moment (and pretending that I'm 
already prepared to accept arbitrary users), this is very worrisome 
for letting users input anything that wouldn't be public anyway, and 
then grant them later access to this same data on the merit of 
nothing more than having the same URI (and since that's practically 
the basis of OpenID, this is a very bad thing to be worried about).

Perhaps an informal polling of various places offering web services, 
to see how many are web 2.0 aware, and get an idea of their policy 
for how long (if ever) before old account names can be recycled? The 
latter could be used to help the Foundation decide on a safe time 
limit for RP's to automatically recycle unused URI's within, in their 
OP/RP best practices list. The former looks to be a herculean task 
(how many small-time hosting companies could there be?), and wouldn't 
matter if the companies practiced good username-recycling policies, 
but perhaps a space for volunteer-only efforts would strike a 
comfortable balance between enabling it and not wasting too much work 
on it? I see a flow of,

1) I go to the OpenID website and check a page in the wiki listing 
companies whose status we know.
2) I don't see the one I'm currently paying for service on that list, 
so I call mine up and question them.
3) I go back to the wiki and report my findings, or, if I don't have 
an OpenID yet, E-mail someone who does have one.

The latter would only need a large sampling of various companies to 
fairly reflect the current state of affairs, the former would be an 
ongoing effort. Thoughts on either?

-Shade

More information about the general mailing list