[OpenID] Your OpenID is destined to be your email address

SitG Admin sysadmin at shadowsinthegarden.com
Mon Mar 30 23:17:01 UTC 2009 

>I don't understand why it is so difficult for some people to understand the
>real problem. It is really ridiculous for a potential RP, to implement open
>id and then ask the user for his email, and then get it verified. While the
>user has already gone through this process with the OP!

I see two ways of parsing the above:

1) It is ridiculous for a Relying Party to implement OpenID when that 
RP will just have to repeat the work done by users' OP's; it's 
duplication of effort, and possibly wasteful to have OpenID at all.
2) It is ridiculous for the user to have already verified their 
E-mail at the OP, and then be made to verify it again for the Relying 
Party.

Both are trust issues. Consider this scenario: a malicious user signs 
up for a high-volume list at some RP using a duplicitous OP to tell 
the RP that all messages should be sent to YOUR address. RP's that 
blindly trusted this OP (which, having authenticated the user, is 
provably in collaboration with this user) to verify E-mail addresses 
would NOT be user-friendly.

>It is high time people wake up and stop hiding behind the excuses like
>"SPAMMING" possibilities etc.

It is not merely a possibility, but a *probability* - I assume that, 
during your 24 years of experience with software engineering, you ran 
across the phrase "principle of least privilege" or one like it? 
Simply put, and in this context, it means that any server which does 
not NEED your E-mail address (or any other piece of information about 
you) should not have it - basic damage control, restricting what can 
be done if the server is broken (or someone breaks-*in*). 
(Additionally, legal requirements in the U.S. may make the 
acquisition and/or long-term retention of that data cost-prohibitive; 
the Chief Information Officer for the Department of Defense asked on 
this list about using OpenID to relieve the government's burden that 
way.) From a security perspective, if a server that does not NEED 
your E-mail address requires it anyway, it is practically a 
no-brainer that some mal-use of it is intended, or at least 
anticipated - and as another saying goes, it is easier to beg 
forgiveness than obtain permission.

So the question, really, is whether all servers NEED your address, 
and for that, it should suffice to remember history. The old webpage 
directories? People going through websites manually, analyzing their 
content and adding them to the appropriate category. Then came 
automated crawlers, along with the brilliant idea that words could be 
typed in to help users find what they were looking for. At this point 
you're probably thinking "Duh, search engines." and wondering why we 
took this little trip down memory lane. But - no, the point we're 
looking at is just *before* then.

The people behind these crawlers/indices had a valuable service. So 
why didn't they force users to have accounts with them, handing over 
E-mail addresses?

Search engines such as Google are free. They provide a valuable 
service to millions of users, sometimes monetizing this through 
advertising, sometimes subsidizing costs through another service. And 
they do it all without requiring an E-mail address, or even a 
password, from their users. Frankly, browsing the web would be 
prohibitively complicated if we all had to enter passwords just to 
visit a site.

Most of us manage to use the internet just fine, every day, without 
submitting (and, for a few of us, even *having*) an E-mail address; 
spamming? What does having an E-mail address we must devote time, 
regularly, to reading, do for us?

>I will post the full text of the post here again for those who dont have
>internet access.

Thank you.

-Shade

More information about the general mailing list