[security] Nonrepudiation, and Trusting OpenID Providers

Nat Sakimura n-sakimura at nri.co.jp
Fri Dec 11 05:18:49 UTC 2009 

It sounds like you are conflating security, trust, level of assurance of 
real identity (autonym/veronym) and of authentication.

In most transactions, you do not need autonym. For example, a ticket 
vendor do not need to know who you are, but it has better make sure to 
hand the concert ticket to the person who paid for it. It involves Level 
of Assurance on authentication but it does not involve LoA on autonymity.

I do not have too much time right now so I do not dig deeper, but 
considering these separately will help you understand the issue.

=nat


(2009/12/11 12:37), Brandon Ramirez wrote:
> So OpenID is good when security is of little importance?  I'm not 
> trying to be a pain, but the classic response to the trust argument is 
> always that OpenID is meant for use cases where security isn't important.
>
> The problem is that to every RP, security IS important.  To them.
>
> - Brandon
>
> On Thu, Dec 10, 2009 at 4:49 PM, Jacob Bellamy <toarms at gmail.com 
> <mailto:toarms at gmail.com>> wrote:
>
>
>     This might be a silly question, but isn't the interactions between
>     banks and government inherently different from say, a users
>     interaction with livejournal? In the former case, security takes
>     precedence, and in the latter usability does. If a bank or
>     government institution is an RP, then they should have every right
>     to demand you use an OP which they trust- and if this is the case,
>     then it is just a matter of using whitelists.  Users should be
>     wary regardless of using the same identity which they would use to
>     log in to social networking sites, in the same manner in which
>     they should be wary of using the same password for their hotmail
>     and for their bank.
>
>
>
>     _______________________________________________
>     security mailing list
>     security at lists.openid.net <mailto:security at lists.openid.net>
>     http://lists.openid.net/mailman/listinfo/openid-security
>
>
>
> _______________________________________________
> security mailing list
> security at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-security
>    


-- 
Nat Sakimura (n-sakimura at nri.co.jp)
Nomura Research Institute, Ltd.
Tel:+81-3-6274-1412 Fax:+81-3-6274-1547

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20091211/c0ea1154/attachment.htm>

More information about the security mailing list