[security] Who bears the risk..

Gabe Wachob gabe.wachob at amsoft.net
Thu Oct 26 18:36:24 UTC 2006 

I don't know. 

But in the case where there is privity of contract (fancy way of saying that
there is some contractual connection) between the IDP and the RP (as there
would be in the Passport case), then the contract probably has a lot of
control over the liability assignment. 

On the other hand, when RPs and IDPs don't even know about each other before
the authentication event, its less clear what the rules will or can be...
legally or commercially. Visa (my former employer) solves this problem by
making everyone in the system belong to an organization and agree to play by
certain rules and accepts certain risks and liabilities in exchange for well
defined payment and incentive allocations. 

A similar thing could be setup for OpenID-style authentication, but that
seems to be a long ways off. 

	-Gabe



> -----Original Message-----
> From: duck1123 at gmail.com [mailto:duck1123 at gmail.com] On Behalf Of Daniel
> E. Renfer
> Sent: Thursday, October 26, 2006 10:45 AM
> To: Gabe Wachob
> Cc: James A. Donald; Eddy Nigg (StartCom Ltd.); security at openid.net
> Subject: Re: [security] Who bears the risk..
> 
> On a somewhat related note, if a site uses Passport for their login
> system, and Microsoft's servers become compromised, who is liable?
> 
> On 10/26/06, Gabe Wachob <gabe.wachob at amsoft.net> wrote:
> >
> > [Moving this thread to security]
> >
> > > -----Original Message-----
> > > From: general-bounces at openid.net [mailto:general-bounces at openid.net]
> On
> > > Behalf Of James A. Donald
> > > Sent: Thursday, October 26, 2006 12:51 AM
> > > To: Eddy Nigg (StartCom Ltd.)
> > > Cc: general at openid.net
> > > Subject: [SPAM]Re: security
> > >
> > > Protocols should specify how the communicating parties should
> interact,
> > > not how everyone in the universe should behave.
> >
> > That's right - protocols (at least what we are doing) can *only* do
> that.
> >
> > > If the IDP has a bad logon process, the primary victim is the person
> who
> > > chose the IDP, so the matter will correct itself.
> >
> > This is where I think there's some tunnel vision. In many cases, it's
> the
> > *RELYING PARTY* that gets burned. Depends on the commercial context in
> which
> > the transaction is happening.. In some places, for example, a bank
> cannot
> > simply disclaim liability for an unauthorized access to online banking..
> >
> > The mechanisms provided by OpenID today make the assumption that the end
> > user is the one who has all the risk and therefore gives the end user
> the
> > control over which IDP (and of course, which RP) to use.
> >
> > I believe we'll roll out mechanisms in the future (NOT for 2.0) as
> > extensions to allow RP's to make decisions because the assumption will
> be
> > relaxed to include the possibility that RP's share the risk of
> unauthorized
> > use of an identifier... (hehe - new crime - Unauthorized Use of an
> > Identifier?)
> >
> >    -Gabe
> >
> >
> > _______________________________________________
> > security mailing list
> > security at openid.net
> > http://openid.net/mailman/listinfo/security
> >

More information about the security mailing list