[OpenID] Your OpenID is destined to be your email address

Tue Mar 31 07:56:42 UTC 2009

In the UCI model, try to avoid falling into the TTP trap : that only special, enhanced, trustworthy parties do certain things. EVERY RP is a potential OP.

If you are an RP, you are an OP in waiting. If you have half a million people coming to your site, become an OP! Or, at least host an XRDS file per user at a url on your site, one that provides the user with another openid ...for delegation. There is value in having folks choose to use the openid you provision, where the delegation process masks the assertion maker. It will be your copyrights, your privacy policy rules, your X that are signaled to the next RP downstream, not those of any upstream OP making auth assertions to you. If your policy and management regime is better for the user than the upstream OP, folks will stay with you as OP - as they relate to your "social trustworthiness".

Remember the goal is that having bound your openid to 100 RPs, should your favorite google OP suspend your account tomorrow there should be NO impact on your access to 99 other RPs . If there is even a modicum of impact on those 99 other relationships, it means that OP had power it should not have in the UCI model. To retain control, use RPs that allow one to bind multiple openids to the RP account ( a la plaxo ), or use the delegation mechanism which gives you portability of OPs.

> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of SitG Admin
> Sent: Monday, March 30, 2009 4:17 PM
> To: santrajan
> Cc: general at openid.net
> Subject: Re: [OpenID] Your OpenID is destined to be your email address
>
> >I don't understand why it is so difficult for some people to
> understand the
> >real problem. It is really ridiculous for a potential RP, to implement
> open
> >id and then ask the user for his email, and then get it verified.
> While the
> >user has already gone through this process with the OP!
>
> I see two ways of parsing the above:
>
> 1) It is ridiculous for a Relying Party to implement OpenID when that
> RP will just have to repeat the work done by users' OP's; it's
> duplication of effort, and possibly wasteful to have OpenID at all.
> 2) It is ridiculous for the user to have already verified their
> E-mail at the OP, and then be made to verify it again for the Relying
> Party.
>
> Both are trust issues. Consider this scenario: a malicious user signs
> up for a high-volume list at some RP using a duplicitous OP to tell
> the RP that all messages should be sent to YOUR address. RP's that
> blindly trusted this OP (which, having authenticated the user, is
> provably in collaboration with this user) to verify E-mail addresses
> would NOT be user-friendly.
>
> >It is high time people wake up and stop hiding behind the excuses like
> >"SPAMMING" possibilities etc.
>
> It is not merely a possibility, but a *probability* - I assume that,
> during your 24 years of experience with software engineering, you ran
> across the phrase "principle of least privilege" or one like it?
> Simply put, and in this context, it means that any server which does
> not NEED your E-mail address (or any other piece of information about
> you) should not have it - basic damage control, restricting what can
> be done if the server is broken (or someone breaks-*in*).
> (Additionally, legal requirements in the U.S. may make the
> acquisition and/or long-term retention of that data cost-prohibitive;
> the Chief Information Officer for the Department of Defense asked on
> this list about using OpenID to relieve the government's burden that
> way.) From a security perspective, if a server that does not NEED
> your E-mail address requires it anyway, it is practically a
> no-brainer that some mal-use of it is intended, or at least
> anticipated - and as another saying goes, it is easier to beg
> forgiveness than obtain permission.
>
> So the question, really, is whether all servers NEED your address,
> and for that, it should suffice to remember history. The old webpage
> directories? People going through websites manually, analyzing their
> content and adding them to the appropriate category. Then came
> automated crawlers, along with the brilliant idea that words could be
> typed in to help users find what they were looking for. At this point
> you're probably thinking "Duh, search engines." and wondering why we
> took this little trip down memory lane. But - no, the point we're
> looking at is just *before* then.
>
> The people behind these crawlers/indices had a valuable service. So
> why didn't they force users to have accounts with them, handing over
> E-mail addresses?
>
> Search engines such as Google are free. They provide a valuable
> service to millions of users, sometimes monetizing this through
> advertising, sometimes subsidizing costs through another service. And
> they do it all without requiring an E-mail address, or even a
> password, from their users. Frankly, browsing the web would be
> prohibitively complicated if we all had to enter passwords just to
> visit a site.
>
> Most of us manage to use the internet just fine, every day, without
> submitting (and, for a few of us, even *having*) an E-mail address;
> spamming? What does having an E-mail address we must devote time,
> regularly, to reading, do for us?
>
> >I will post the full text of the post here again for those who dont
> have
> >internet access.
>
> Thank you.
>
> -Shade
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general