[security] Who bears the risk..
Daniel E. Renfer
Duck at Kronkltd.net
Thu Oct 26 17:45:19 UTC 2006
On a somewhat related note, if a site uses Passport for their login
system, and Microsoft's servers become compromised, who is liable?
On 10/26/06, Gabe Wachob <gabe.wachob at amsoft.net> wrote:
>
> [Moving this thread to security]
>
> > -----Original Message-----
> > From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> > Behalf Of James A. Donald
> > Sent: Thursday, October 26, 2006 12:51 AM
> > To: Eddy Nigg (StartCom Ltd.)
> > Cc: general at openid.net
> > Subject: [SPAM]Re: security
> >
> > Protocols should specify how the communicating parties should interact,
> > not how everyone in the universe should behave.
>
> That's right - protocols (at least what we are doing) can *only* do that.
>
> > If the IDP has a bad logon process, the primary victim is the person who
> > chose the IDP, so the matter will correct itself.
>
> This is where I think there's some tunnel vision. In many cases, it's the
> *RELYING PARTY* that gets burned. Depends on the commercial context in which
> the transaction is happening.. In some places, for example, a bank cannot
> simply disclaim liability for an unauthorized access to online banking..
>
> The mechanisms provided by OpenID today make the assumption that the end
> user is the one who has all the risk and therefore gives the end user the
> control over which IDP (and of course, which RP) to use.
>
> I believe we'll roll out mechanisms in the future (NOT for 2.0) as
> extensions to allow RP's to make decisions because the assumption will be
> relaxed to include the possibility that RP's share the risk of unauthorized
> use of an identifier... (hehe - new crime - Unauthorized Use of an
> Identifier?)
>
> -Gabe
>
>
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security
>
More information about the security
mailing list