[security] Nonrepudiation, and Trusting OpenID Providers

David Recordon recordond at gmail.com
Tue Dec 8 00:55:18 UTC 2009 

Hey Dylan,
Yes, this is correct but Google could also start sending email as me
or even fill in forgotten password pages and then login as me. :)

This is one thing which is known to be a challenge to see OpenID scale
into higher levels of assurance.  The ultimate answer for these sorts
of use cases is not only the user trusting their provider, but the
relying party having some form of trust in the provider as well.

--David

On Mon, Dec 7, 2009 at 4:47 PM, Shearer, Charles Dylan <cdsheare at nps.edu> wrote:
> I have some concerns about OpenID, and I would like to see what those
> involved think about them.
>
> It seems to me that, regardless of how OpenID is deployed, it is always
> possible for an OpenID provider itself to authenticate with a relying party
> as any user by forging a request to authenticate using the user’s
> identifier.  This is because a relying party cannot tell the difference
> between a user attempting to log in using his or her identifier, and the
> user’s OpenID provider spoofing that user to gain access to whatever
> services the relying party provides to that user.  This seems to require
> that both users and relying parties put a lot of trust in OpenID providers:
> for example, if I used my OpenID identifier for online banking and email, my
> OpenID provider could easily access my email and bank account.
>
> Additionally, even if we assume that OpenID providers will not log into
> users’ accounts, I still cannot see how OpenID could provide nonrepudiation
> regarding messages sent to a relying party by an authenticated user: for
> example, if I authenticate with my bank using my OpenID identifier and then
> use the bank’s “bill pay” service to pay a bill, there’s no way the bank can
> prove that I ordered that payment because it is possible that someone
> working for my OpenID provider logged in as me and ordered it.
>
> Does anyone disagree with my analysis?
>
> Dylan
> _______________________________________________
> security mailing list
> security at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-security
>
>

More information about the security mailing list