[security] Nonrepudiation, and Trusting OpenID Providers

John Bradley ve7jtb at ve7jtb.com
Tue Dec 8 11:34:11 UTC 2009 

Charles,

It is true that almost all assertion based protocols require that a RP and user have some trust in the OP/IdP.   This is equally the case for SAML and managed Info-Cards.

Some thing like PKI and personal info-cards allow the user to have complete control over the authenticator.  

There are two basic options:
1 increase the trustability of the OP/IdP
2 Use multiple IdP simultaneously and prey.

I don't personally believe that option 2 is all that practical or gives much more security for the average user.

Given that openID is only secure enough as a protocol for ICAM LoA 1 (pseudonymous protecting no PII) the most practical path is to provide more trustable OP/IdP.

That said, with some of the v.Next changes openID will become appropriate for higher LoA.

I don't think Gov or Banks are going to be comfortable with multi Auth solutions.  They are going to insist on trusted OP/IdP.

You can have a look at the ICAM site to see where the US Gov is going.
http://www.idmanagement.gov/drilldown.cfm?action=openID_openGOV

I can see binding more than one openID to a RP to allow for recovery,  however that needs to be balanced against doubling the attack surface.

Regards
John Bradley

On 2009-12-07, at 9:47 PM, Shearer, Charles Dylan wrote:

> I have some concerns about OpenID, and I would like to see what those involved think about them.
> 
> It seems to me that, regardless of how OpenID is deployed, it is always possible for an OpenID provider itself to authenticate with a relying party as any user by forging a request to authenticate using the user’s identifier.  This is because a relying party cannot tell the difference between a user attempting to log in using his or her identifier, and the user’s OpenID provider spoofing that user to gain access to whatever services the relying party provides to that user.  This seems to require that both users and relying parties put a lot of trust in OpenID providers: for example, if I used my OpenID identifier for online banking and email, my OpenID provider could easily access my email and bank account.  
> 
> Additionally, even if we assume that OpenID providers will not log into users’ accounts, I still cannot see how OpenID could provide nonrepudiation regarding messages sent to a relying party by an authenticated user: for example, if I authenticate with my bank using my OpenID identifier and then use the bank’s “bill pay” service to pay a bill, there’s no way the bank can prove that I ordered that payment because it is possible that someone working for my OpenID provider logged in as me and ordered it.
> 
> Does anyone disagree with my analysis?
> 
> Dylan
> _______________________________________________
> security mailing list
> security at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20091208/b968b9af/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2468 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20091208/b968b9af/attachment-0001.bin>

More information about the security mailing list