[security] how secure is openid? advise pls..

Nate Klingenstein ndk at internet2.edu
Mon Feb 9 19:27:56 UTC 2009 

Balasubramanian,

It's pretty difficult to answer your question for a couple reasons.

First, there is a very large gradient between secure and insecure,  
and every application falls somewhere on that spectrum.  You really  
need to assess how much security is really necessary so you can  
balance security with usability.  There are a lot of attempts out  
there to build frameworks to help you analyze the quality of  
authentication and attributes your application needs.  You can  
probably find one.  Here is an old example for the U.S. Federal  
government:

http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf

Second, there really is no way to gauge the security of any  
individual OpenID transaction because there is no trust framework.   
You're relying on the OP to do good identity-proofing, but there's  
incredible variability in OP's.  Some just require a non-bouncing  
email, while others do identity proofing.  Some do better  
authentication, like Kevin mentioned, and others are plaintext  
passwords over HTTP.  There are some attempts at addressing this  
variety, like PAPE, but without any trust framework, you're still  
ultimately relying on the OP to just be honest.  I hope upcoming work  
in the OpenID community will build support for trust frameworks.

Hope this helps,
Nate.

On 09 Feb 2009, at 19:02, Balasubramanian G wrote:

> Dear all,
>
> I recently started working upon making my site openid enabled. when  
> i was having a talk with my friend abt this, he pointed a series of  
> articles in the internet which describe the vulnerabilities in  
> using openid. Though my site does not deal with any sensitive data,  
> i just want to make sure that its safe to the users if not 100%,  
> atleast to the max extent.
>
> So, pls advise me on how secure is openid and wht safety measures  
> should i implement in order to make it more safe as i am answerable  
> to the users of my site if they raise the question of security..  
> Reply ASAP
>
> Warm Regards
> Balasubramanian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20090209/02083eab/attachment-0002.htm>

More information about the security mailing list