[OpenID] E-mail verification is MultiAuth

SitG Admin sysadmin at shadowsinthegarden.com
Fri May 1 15:11:44 UTC 2009 

>Sure it is - but, at the same time, we can't place all the power to 
>impersonate users into the hands of any one third party.
>
>That's an extremely strong requirement, beyond the ability of most 
>current deployments and even the requirements of NIST 800-63 Level 
>4.  I don't think calling for it in general practice is reasonable 
>today.

I'm drawing a blank right now on the single third party we all 
unavoidably trust (even DNS can be dismissed if certs don't match), 
so it seems to be that MultiAuth (requiring users to authenticate not 
just as Nate at Klingenstein.name or ndk at internet2.edu, but as a single 
account with *both* addresses associated) would be well within the 
ability of RP's today; how impossible can it *be* to add another 
E-mail field to one's databases?

>I worry far more here about applications relying purely on cookies 
>and compromised clients.  They're definitely the weaker link.

Hmm . . . priorities. Understood. Focusing on a small group allows 
for concentrating those efforts, not dispersing them over the larger 
population; it's more efficient, and more effective. I worry about 
what will happen when attackers realize that it means the same for 
*them* too, though. Fewer centres of trust lead to concentrated 
attacks, and greater consequences when (not if) they finally *are* 
broken.

I'd settle, I think, for RP's offering a fallback option (whatever 
works for them) with users who *aren't* offering their E-mail address 
through one of those trusted parties; manual verification if it can't 
be assumed automatically, and let the (untrusted) OP's worry about 
retaining their users despite this - it's the users' choice to let an 
OP represent them, not the RP's to tell them "it would be to your 
inconvenience, so you'd better switch to this OP we can trust".

>I consider it our best approximation at addressing your concerns 
>unless clients are made more intelligent.

Clients and users :)

Smarter clients will ideally make what is going on more transparent 
to users, so we don't have to be technology geeks to figure all of 
this out. Users who know what's happening are empowered to make their 
own decisions through smart clients, possibly resulting in a truly 
user-centric architecture (with their smart clients executing their 
wishes, not any trusted 3rd party).

-Shade

More information about the general mailing list