[security] Who bears the risk..
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Thu Oct 26 19:00:54 UTC 2006
Gabe Wachob wrote:
> This is where I think there's some tunnel vision. In many cases, it's the
> *RELYING PARTY* that gets burned. Depends on the commercial context in which
> the transaction is happening.. In some places, for example, a bank cannot
> simply disclaim liability for an unauthorized access to online banking..
>
Great! I agree and would like once again to make one of the problems at
hand more clear by a few examples:
First of all, as I understand it, _the OpenID community is promoting_
the use and very much _welcomes adoption of OpenID _(web sites which
offer login via OpenID URI). But I suspect, that today there are be more
OpenID IDP's than RP's, certainly not a situation of thousands of RP's
and a handful of IDP's. There might be a few reasons for this, but let
me explain, why _I_ can't be a RP:
Because there are no rules of behavior, standard and liability for IDP's
in the OpenID framework, but only the authentication protocol of OpenID
is defined, I can't rely on any IDP. There are currently no requirements
how an IDP performs authentication, secures the transport of date
between the user (client) and IDP server or how he stores any data. IDP
versus RP relation is another issue.
But here comes OpenID, Verisign, SXIP and many others making convincing
statements why to use OpenID....why to adopt this technology! But today,
even for a super-low-risk forum or blog I can't use it right now,
because once the forum spamers understand that, they'll install their
own server and patch my forum with Viagra and Loans (I guess, that this
mail will land in most peoples spam filter ;-))
So right now, I'm not proposing a solution to the problem, but ask you
on the list to provide me with a solution, which will be acceptable by
99% of forum and blog owners. This is the current low risk target of
RP's as mentioned various times on this list. Once we have a solution
for this, we can try to higher the stakes a little...If there is no
solution for the problem, than perhaps everybody should _stop talking
about adoption of OpenID_ until it's solved!
> The mechanisms provided by OpenID today make the assumption that the end
> user is the one who has all the risk and therefore gives the end user the
> control over which IDP (and of course, which RP) to use.
>
Currently I see the risks for the RP the highest, because the user might
easily claim, that the RP offered (and even convinced) to make use of
OpenID URI...
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061026/6929181d/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eddy_nigg.vcf
Type: text/x-vcard
Size: 636 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061026/6929181d/attachment-0002.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7282 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061026/6929181d/attachment-0002.bin>
More information about the security
mailing list