[security] Who bears the risk..
Gabe Wachob
gabe.wachob at amsoft.net
Thu Oct 26 16:55:28 UTC 2006
[Moving this thread to security]
> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of James A. Donald
> Sent: Thursday, October 26, 2006 12:51 AM
> To: Eddy Nigg (StartCom Ltd.)
> Cc: general at openid.net
> Subject: [SPAM]Re: security
>
> Protocols should specify how the communicating parties should interact,
> not how everyone in the universe should behave.
That's right - protocols (at least what we are doing) can *only* do that.
> If the IDP has a bad logon process, the primary victim is the person who
> chose the IDP, so the matter will correct itself.
This is where I think there's some tunnel vision. In many cases, it's the
*RELYING PARTY* that gets burned. Depends on the commercial context in which
the transaction is happening.. In some places, for example, a bank cannot
simply disclaim liability for an unauthorized access to online banking..
The mechanisms provided by OpenID today make the assumption that the end
user is the one who has all the risk and therefore gives the end user the
control over which IDP (and of course, which RP) to use.
I believe we'll roll out mechanisms in the future (NOT for 2.0) as
extensions to allow RP's to make decisions because the assumption will be
relaxed to include the possibility that RP's share the risk of unauthorized
use of an identifier... (hehe - new crime - Unauthorized Use of an
Identifier?)
-Gabe
More information about the security
mailing list