[security] Who bears the risk..

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Fri Oct 27 01:58:45 UTC 2006 

Pete Rowley wrote:
> There is no fundamental difference between OpenID and direct account
> creation on the site. You know your users by some unique identifier,
> you hope they don't post their account and password to newsgroups but
> you can't be sure they don't. 
Right! But when thinking one step further on this specific subject, in
such a case, this would be the users responsibility (allowing for the RP
to react accordingly), whereas future login compromise (At the IDP or
RP) would be already the responsibility of the RP. But that's now almost
off-topic in this specific context.
> Currently in order to mitigate the risks of the billion account script
> spammers sites ask for an email address in order to prove you have
> control over an email account (now regardless of the fact that can
> easily be scripted too) - nothing stops sites from continuing this
> policy. Once profile exchange is added the transfer of the email
> address can be automatic instead of an annoying additional step as it
> is now. Still gotta click on the email link though. That is, unless
> you have some other mechanism for gaining trust - like moderated
> comments until their trust level reaches a threshold.
OK, now on practical level, the user still has to perform every step
during registration at every forum/blog/etc in order to post, so the
time saving comes only at successive login's...Provided that the IDP
protects the login facility correctly (_which according to the specs is
currently completely optional_), than there is the same level of
trust/protection established...OK!
> Your site might also decide to trust certain IdPs. That is probably
> the first thing that will occur - sites will trust a whitelist of IdPs
> to have performed some form of adequate verification so that they do
> not need to.
This is implementation on the RP application level and has no specs, as
I understand it...right?
> Anyway - this is all obviously for the low end blog/forum stuff.
Correct...

-- 
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Phone:       +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061027/8173d8b4/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eddy_nigg.vcf
Type: text/x-vcard
Size: 636 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061027/8173d8b4/attachment-0002.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7282 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061027/8173d8b4/attachment-0002.bin>

More information about the security mailing list