[security] OpenID for High Security?

[Josh Hoyt]

On 2/20/07, Dmitry Shechtman <damnian at gmail.com> wrote:
> You may use server whitelisting to require all logins to originate from e.g.
> providers supporting SSL/TLS for login, although I believe this would be
> against the spirit of OpenID.

IMO, the spirit of OpenID is to accept sign-ins from anywhere,
*unless* you have a good reason not to.

My advice would be to make a list of who would be affected by
different security decisions on the part of OpenID providers, and make
sure that you're taking care of each of those cases in your
implementation.

If the exposed parties are solely end users, you could have a
white-list of providers that you trust, and have a click-through page
describing what kind of exposure the users would open themselves up to
if their provider does not follow the minimum guidelines. Ideally,
you'd be able to whitelist the providers for most of your users, and
still let others play.

If you decide that the exposure is too great or the decision is too
complicated for end-users, you can get by with a whitelist of OpenID
providers who you do trust.

I think that the biggest questions that you have to answer are:
 * what happens if the user loses control of their URL?
 * what kinds of information are tied to that account that would get exposed?
 * who is liable if someone else takes action on the part of the user?

There are other options, such as using captcha, if it turns out your
concern is only about bots.

It would be good if we could try to get a full list of this kind of
question, and maybe make a flow-chart or similar to help sites decide
what kind of policy they should have w/r/t accepting OpenID users.

Hope that helps,
Josh