[security] OpenID for High Security?

Phil Kulak pkulak at gmail.com
Tue Feb 20 23:43:44 UTC 2007 

Whitelisting would be an option, but I'm not sure I like it. The most
secure identity provider can be the one hosted on your own box, so it
seems a little odd that those are the ones I wouldn't allow. Do you
mean that I could set up some kind of click-through and have it show
up only if the user's IP is not on the whitelist? That could be an
option.

On 2/20/07, Josh Hoyt <josh at janrain.com> wrote:
> On 2/20/07, Dmitry Shechtman <damnian at gmail.com> wrote:
> > You may use server whitelisting to require all logins to originate from e.g.
> > providers supporting SSL/TLS for login, although I believe this would be
> > against the spirit of OpenID.
>
> IMO, the spirit of OpenID is to accept sign-ins from anywhere,
> *unless* you have a good reason not to.
>
> My advice would be to make a list of who would be affected by
> different security decisions on the part of OpenID providers, and make
> sure that you're taking care of each of those cases in your
> implementation.
>
> If the exposed parties are solely end users, you could have a
> white-list of providers that you trust, and have a click-through page
> describing what kind of exposure the users would open themselves up to
> if their provider does not follow the minimum guidelines. Ideally,
> you'd be able to whitelist the providers for most of your users, and
> still let others play.
>
> If you decide that the exposure is too great or the decision is too
> complicated for end-users, you can get by with a whitelist of OpenID
> providers who you do trust.
>
> I think that the biggest questions that you have to answer are:
>  * what happens if the user loses control of their URL?
>  * what kinds of information are tied to that account that would get exposed?
>  * who is liable if someone else takes action on the part of the user?
>
> There are other options, such as using captcha, if it turns out your
> concern is only about bots.
>
> It would be good if we could try to get a full list of this kind of
> question, and maybe make a flow-chart or similar to help sites decide
> what kind of policy they should have w/r/t accepting OpenID users.
>
> Hope that helps,
> Josh
>

More information about the security mailing list