[OpenID] Delegation leading to new accounts on websites

[Johnny Bufu]

On 10/07/09 11:57 AM, Breno de Medeiros wrote:
> It is not a question of expanding scope. From a security standpoint, it 
> makes no sense to assess only one aspect of the flow. 

I fail to see how the "only" part was concluded. Or is this a general 
remark, not directly related to the discussion so far?

I do believe that it makes sense to asses security for smaller chunks, 
and then (properly) combine these assessments to get a security 
evaluation for a bigger flow.

If an RP is interested in a security assertion from an OP (such as 
PAPE), it's reasonable to expect that the RP knows who is authoritative 
over what and won't rely on an OP's claim about the security of a 
claimed identifier that the OP doesn't actually control (without using 
additional mechanisms).

If the OP doesn't control the claimed identifier there isn't really 
anything the OP can say about the discovery step, so I don't think it's 
reasonable for the RP to expect or rely on any assertion from the OP for 
this part of the flow.

Yes, OPs need to be careful about possibly misleading RPs when combining 
delegation and PAPE, but I see this is a PAPE deployment issue that 
could use some recommendations / warnings in the next PAPE spec.

For plain OpenID assertions (no extensions), I believe it's clear what's 
being asserted by the OP and what's being claimed by the end user and 
don't really see valid reasons for concern.


Johnny