[security] Who bears the risk..

[Pete Rowley]

Eddy Nigg (StartCom Ltd.) wrote:
> But here comes OpenID, Verisign, SXIP and many others making 
> convincing statements why to use OpenID....why to adopt this 
> technology! But today, even for a super-low-risk forum or blog I can't 
> use it right now, because once the forum spamers understand that, 
> they'll install their own server and patch my forum with Viagra and 
> Loans (I guess, that this mail will land in most peoples spam filter ;-))
There is no fundamental difference between OpenID and direct account 
creation on the site. You know your users by some unique identifier, you 
hope they don't post their account and password to newsgroups but you 
can't be sure they don't. Currently in order to mitigate the risks of 
the billion account script spammers sites ask for an email address in 
order to prove you have control over an email account (now regardless of 
the fact that can easily be scripted too) - nothing stops sites from 
continuing this policy. Once profile exchange is added the transfer of 
the email address can be automatic instead of an annoying additional 
step as it is now. Still gotta click on the email link though. That is, 
unless you have some other mechanism for gaining trust - like moderated 
comments until their trust level reaches a threshold.

Your site might also decide to trust certain IdPs. That is probably the 
first thing that will occur - sites will trust a whitelist of IdPs to 
have performed some form of adequate verification so that they do not 
need to.

Anyway - this is all obviously for the low end blog/forum stuff.

-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061026/994495b3/attachment-0002.bin>