[security] Nonrepudiation, and Trusting OpenID Providers

[SitG Admin]

>>  If you use your email account for account recovery your email provider can
>>  get access to all of your other accounts.    That is one of the largest
>>  security problems.
>
>Surely the problem is not that the provider can do it (yes, they can,
>but how often do they?), but that anyone you give your password away
>to can do it.

The larger (class of) problem is that any 3rd party you trust can go bad.

Controlling your own password is something you have power over, and 
can probably manage regardless of whether 3rd parties are actively 
cooperating. But you don't have ANY power over 3rd parties, and their 
susceptibility to corruption is itself a variable that you have no 
control over. OpenID tries to strike a balance between unique 
passwords (to ensure no RP can pose as the user to any other RP), 
which are difficult to memorize, and account individuality (where 
users exist apart from their SSO OP) by enabling delegation, but how 
many users actually know this feature exists, much less have it 
operating that way? Especially with so many sites trying to become 
OP's (when, really, all they need is an added field in the interface 
for people who can't upload/modify their own HTML documents  to set 
OpenID headers). You'd think that the risk of employee malpractice 
would have more sites encouraging users to look *elsewhere* for their 
OP needs, not just be averse to the whole idea.

It might be interesting to compare how many people adopted PGP (an 
identity solution without 3rd parties) at various points along its 
release timeline, to how many users of OpenID adopted delegation.

-Shade