[OpenID] Is OpenID truly user-centric and OP-independent? (WAS: Bug in OpenID RP implementations)

Wed Jan 14 14:48:21 UTC 2009

Hi Peter,
I think you missed the scenario I was saying should use OAuth.  The login
process with Plaxo was fantastic.  I didn't mind that it sniffed my email
address from my OP.  That's convenience for me.

But after login was completed, the first page I was taken to was a page
where they wanted to take some email address and password so they could go
download my address book.  This has nothing to do with OpenID.  They wanted
my email password (bad, bad, bad!)  And yes, as you say, this is actually
fairly common practice.  LinkedIn, Facebook, Lala, you name it.  Almost
every social networking site wants your email password. ("cold dead fingers"
comes to mind).  The link I sent you in my previous email explains why this
is such a Very Bad Thing.

What OAuth does is give Plaxo, et. al, a way to download my address book
without me ever giving them my email password.  They still need my
permission, but not my password.  With OAuth, they can only do exactly what
I authorize them to do (for instance, download my address book once) and
nothing more.  Much much safer for the user.  They don't have to trust
(usually blindly) the site they're at nearly as much.

Of course, then you get into the social question of how your "friends" in
your address book will feel about you after you "sell" their contact info to
some random site they have no interest in being a part of just to get a
little convenience.  :)

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire

On Wed, Jan 14, 2009 at 6:28 AM, Peter Williams <pwilliams at rapattoni.com>wrote:

>  I have yet to understand why people assert that type of OAuth comment. I
> jus don't understand OAUTH well enough, yet.
>
>
>
> Given all I know (from the OAUTH spec), data providers can share data with
> data consumers, once authorized by the user. Though any act of authorization
> (or "delegated" authorization) requires first an act of authentication
> (ideally with openid), the two security services are usually designed to be
> independent.
>
>
>
> In the websso world I come from, what Plaxo do is perfectly normal.  They
> "confirm" using a local procedure the authentication statement in the
> assertion. That is, they declare that the assertion is not a bearer-class
> assertion, which would have implicit confirmation. As a consequence of that
> confirmation model, they confirm locally that the user controls the email
> identifier delivered via the nice "form fill" function that openid/sreg just
> performed.
>
>
>
> In reality, Plaxo is perform name-federation with the users email
> identifier to the plaxo account. The verification model is really between
> the mail/phone provider and Plaxo, not OP and RP. Even if the OP has already
> performed that very same email confirmation (e.g. myopenid), the UCI model
> means that Plaxo have no assurance that it was performed, or performed
> properly. Thus, they do it themselves.
>
>
>
> As plaxo is oft-cited as a model openid RP by the protocol-designer class
> of folk here, I had assumed that this RP-confirmation process was an
> INTENDED deployment behavior of "model" RPs. I had ASSUMED that It was one
> of those tradeoffs derived from the UCI  mission – which gives the function
> of survivability on the one hand, but takes away assurance on the other. One
> rebuilds assurance by local confirmation, I guessed.
>
>
>
> During one-time name-federation to plaxo during (n) openid registration(s()
> - and providing different openids can introduce different email/phone
> accounts -  I don't see this as a big deal. If Plaxo as an RP were
> repeatedly confirming with the email/phone provider, then Id agree –
> something user-centric is needed  (perhaps OAUTH); as then the email
> provider becomes a central control/authorization authority - governing the
> user's ability to talk to plaxo.
>
>
>
> *From:* Andrew Arnott [mailto:andrewarnott at gmail.com]
> *Sent:* Wednesday, January 14, 2009 6:06 AM
> *To:* Peter Williams
> *Cc:* Martin Atkins; OpenID List
> *Subject:* Re: [OpenID] Is OpenID truly user-centric and OP-independent?
> (WAS: Bug in OpenID RP implementations)
>
>
>
> Yes, I wish everyone could follow that model at Plaxo.
>
>
>
> But Plaxo would do well to adopt OAuth. I noticed as soon as I created an
> account just now that they wanted to take my email password<http://blog.nerdbank.net/2008/10/why-oauth-can-be-ignored.html>.
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - Voltaire
>
>  On Wed, Jan 14, 2009 at 5:51 AM, Peter Williams <pwilliams at rapattoni.com>
> wrote:
>
> Add a plural s to the word identity.
>
>
>
> IN policy language, the goal is surely not attaining "independence" from
> the communications infrastructure; but achieving "autonomy".
>
>
>
> This is nicely seen in the plaxo model for building RPs, where you can bind
> n openids to the plaxo account. As a user, you can invoke any one of these
> identification paths. If flicker suspends your account (which they are want
> to do), there is no downside to you at Plaxo. Survivability is built in,
> with automatic, dynamic re-routing around the congestion point.
>
>
>
>
>
> *From:* general-bounces at openid.net [mailto:general-bounces at openid.net] *On
> Behalf Of *Andrew Arnott
> *Sent:* Wednesday, January 14, 2009 5:35 AM
> *To:* Martin Atkins
>
> In fact, I've become convinced that there is no way to allow a user to
> maintain his own OpenID identity independent of any OP or ISP given the
> profile of a common Internet user today.
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090114/21e2508d/attachment-0002.htm>