[OpenID] E-mail verification is MultiAuth

Nate Klingenstein ndk at internet2.edu
Fri May 1 05:25:29 UTC 2009 

Shade,

If the host/OP that is responsible for proper identification cannot  
be considered responsible, you have serious problems beyond  
inappropriate authentication or identity hijacking.  Assertion of  
fake attributes is just one example.

Identity/attribute aggregation is not a straightforward nor  
comprehensive way to deal with the issue; it is cumbersome for the  
RP, and most styles of aggregation are vulnerable to misbehavior by  
one or both of the aggregating entities anyway.

A trust fabric identifying providers as responsible is a much more  
straightforward and thorough approach, and I continue to believe the  
OpenID community must pursue technical support for it.

Take care,
Nate.

On 01 May 2009, at 05:14, SitG Admin wrote:

> Looking at RP's that have users authenticate with two OpenID's (in  
> the same session) to merge accounts, I realized there is a very  
> good reason to also require that the user demonstrate an ability to  
> receive E-mail at their account - because, most mailboxes not being  
> publicly archived, the ability to receive E-mail at an address  
> implies owning the password (or other authentication measure(s)) to  
> the corresponding account. An attacker might have compromised the  
> user's OP, linking it with their own, but the RP already knows that  
> the user has *another* "OP" - their E-mail provider. A third party  
> is thus available, to vouch for the user - and, more importantly,  
> to *test* whether this claim of dual Identity is true.
>
> In most circumstances, it would seem logical to allow an OP to  
> vouch for addresses at its own domain. But if an address *is* at  
> the same domain as the OP, this suggests that the E-mail provider  
> no longer counts as a "third party" for purposes of requiring  
> attackers to compromise an account *apart from* the OP to steal  
> someone's Identity.
>
> A theft which should not be as simple as "knowing the E-mail  
> address of the person you wish to impersonate".
>
> -Shade

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090501/a3693299/attachment.htm>

More information about the general mailing list