[security] security

[James A. Donald]

     --
Eddy Nigg (StartCom Ltd.) wrote:
 > By encouraging <http://iwantmyopenid.org/bounty> the
 > world to integrate OpenID into their software,
 > obviously to spread OpenID, WITHOUT providing adequate
 > protection by the standard itself, to the relying
 > parties is almost criminal! This might be gross
 > negligence and intent by the sponsoring parties:

If we merely want to enable our users to have persistent
unforgeable ID, no-password.com is not a problem.  Users
will not use it.  A site like pecunix, which allows
people to transfer gold around the internet would not
suffer any problems from the existence of
no-password.com.

If, however, we want to be able to ban objectionable
users, which most of the early adopters of OpenID do
want, we would only want identities that correspond to
systems that impose some small cost on creating an
identity, in which case we need to work off a list of
known good identity providers, identity providers such
that people with these identities are probably not
spammers.  We would blacklist no-password.com, and white
list some quite long list of known good identity
providers.

without machinery in the protocol and libraries for
whitelisting, greylisting, and blacklisting, the
widespread adoption of openid will eventually lead to
spammer attack.  The protocol must contain machinery to
deal with the problem that will happen when openid
becomes attractive to spammers.  Openid has to support a
reputation system for both individuals and identity
providers.

Otherwise, critical mass will be signaled by mass spams
using the OpenID system.

     --digsig
          James A. Donald
      6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
      Ck33EsOMzC8E6V4YlZB6Q4Hj+z/goPD8PEB3jEqz
      4X7RxRuKaUCEFexWV6WZ/bLHzTEsQ+Fld9AMflDmW