[security] OpenID for High Security?

Gabe Wachob gabe.wachob at amsoft.net
Tue Feb 20 15:57:57 PST 2007

I think the real question is not one of "high security" or not - its about
risk tolerance, exposure and mitigation

If you don't care about a user's losing control over their OP, and there's
no real exposure for you, then you shouldn't care. I think this is the
openid canonical use case - and motivates the "openid spirit" of openness
and "anybody can play".

If you are a bank and you are very exposed if someone else gets into a
user's account (by regulation, or by market forces which demand you eat the
cost of fraud), then perhaps you need to take a stance which is not so in
line with the "openid spirit". 

The fact that a certain use of openid (the protocol) is against the "openid
spirit" and therefore shouldn't be done with openid is a mistake. In other
words, if you can't live with the scriptures of the "openid spirit" right
now, I don't think you should abandon "openid" the protocol. 

You may find that you need to start with a whitelist (or other 'OP-limiting'
option) and then determine how/if you can deal with the risk exposure of
opening up to any OP (through means like insurance or other risk mitigation
methods). It may be that you end up using openid as a protocol only within a
small universe of openid providers - even that is a better situation than
using something less open and lightweight, IMHO.

Using the openid protocol will give you a path in the future to open up and
integrate with the outside world, if that's even a remote possibility...
there'll be ton of innovation around openid and authentication and I'd hate
to see people run away because the "openid spirit" is not compatible with
the business realities they are operating in today... 


> -----Original Message-----
> From: security-bounces at openid.net [mailto:security-bounces at openid.net] On
> Behalf Of Phil Kulak
> Sent: Tuesday, February 20, 2007 3:44 PM
> To: Josh Hoyt
> Cc: security at openid.net
> Subject: Re: [security] OpenID for High Security?
> Whitelisting would be an option, but I'm not sure I like it. The most
> secure identity provider can be the one hosted on your own box, so it
> seems a little odd that those are the ones I wouldn't allow. Do you
> mean that I could set up some kind of click-through and have it show
> up only if the user's IP is not on the whitelist? That could be an
> option.
> On 2/20/07, Josh Hoyt <josh at janrain.com> wrote:
> > On 2/20/07, Dmitry Shechtman <damnian at gmail.com> wrote:
> > > You may use server whitelisting to require all logins to originate
> from e.g.
> > > providers supporting SSL/TLS for login, although I believe this would
> be
> > > against the spirit of OpenID.
> >
> > IMO, the spirit of OpenID is to accept sign-ins from anywhere,
> > *unless* you have a good reason not to.
> >
> > My advice would be to make a list of who would be affected by
> > different security decisions on the part of OpenID providers, and make
> > sure that you're taking care of each of those cases in your
> > implementation.
> >
> > If the exposed parties are solely end users, you could have a
> > white-list of providers that you trust, and have a click-through page
> > describing what kind of exposure the users would open themselves up to
> > if their provider does not follow the minimum guidelines. Ideally,
> > you'd be able to whitelist the providers for most of your users, and
> > still let others play.
> >
> > If you decide that the exposure is too great or the decision is too
> > complicated for end-users, you can get by with a whitelist of OpenID
> > providers who you do trust.
> >
> > I think that the biggest questions that you have to answer are:
> >  * what happens if the user loses control of their URL?
> >  * what kinds of information are tied to that account that would get
> exposed?
> >  * who is liable if someone else takes action on the part of the user?
> >
> > There are other options, such as using captcha, if it turns out your
> > concern is only about bots.
> >
> > It would be good if we could try to get a full list of this kind of
> > question, and maybe make a flow-chart or similar to help sites decide
> > what kind of policy they should have w/r/t accepting OpenID users.
> >
> > Hope that helps,
> > Josh
> >
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security

More information about the security mailing list