[security] Nonrepudiation, and Trusting OpenID Providers

Ben Laurie benl at google.com
Wed Dec 9 16:24:09 UTC 2009 

On Tue, Dec 8, 2009 at 12:55 AM, David Recordon <recordond at gmail.com> wrote:
> Hey Dylan,
> Yes, this is correct but Google could also start sending email as me
> or even fill in forgotten password pages and then login as me. :)
>
> This is one thing which is known to be a challenge to see OpenID scale
> into higher levels of assurance.  The ultimate answer for these sorts
> of use cases is not only the user trusting their provider, but the
> relying party having some form of trust in the provider as well.

That's only one ultimate answer. Another is for the user to sign stuff.

BTW, I wish people would not use nonrepudiation in this way - you can
always repudiate a digital signature. Nonrepudiation is a legal term -
it means that the law doesn't _care_ if you repudiate it.


>
> --David
>
> On Mon, Dec 7, 2009 at 4:47 PM, Shearer, Charles Dylan <cdsheare at nps.edu> wrote:
>> I have some concerns about OpenID, and I would like to see what those
>> involved think about them.
>>
>> It seems to me that, regardless of how OpenID is deployed, it is always
>> possible for an OpenID provider itself to authenticate with a relying party
>> as any user by forging a request to authenticate using the user’s
>> identifier.  This is because a relying party cannot tell the difference
>> between a user attempting to log in using his or her identifier, and the
>> user’s OpenID provider spoofing that user to gain access to whatever
>> services the relying party provides to that user.  This seems to require
>> that both users and relying parties put a lot of trust in OpenID providers:
>> for example, if I used my OpenID identifier for online banking and email, my
>> OpenID provider could easily access my email and bank account.
>>
>> Additionally, even if we assume that OpenID providers will not log into
>> users’ accounts, I still cannot see how OpenID could provide nonrepudiation
>> regarding messages sent to a relying party by an authenticated user: for
>> example, if I authenticate with my bank using my OpenID identifier and then
>> use the bank’s “bill pay” service to pay a bill, there’s no way the bank can
>> prove that I ordered that payment because it is possible that someone
>> working for my OpenID provider logged in as me and ordered it.
>>
>> Does anyone disagree with my analysis?
>>
>> Dylan
>> _______________________________________________
>> security mailing list
>> security at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-security
>>
>>
> _______________________________________________
> security mailing list
> security at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-security
>

More information about the security mailing list