[security] how secure is openid? advise pls..

Balasubramanian G mccbala at gmail.com
Mon Feb 9 19:38:04 UTC 2009 

That was a nice reply Nate.. So would it be of some help, if i restrict the
users to sign in through some trusted OPs instead of any x y z?? But by
doing this am I not breaking one of the rules of thumb in OpenID concept??
That the users can authenticate themselves through any OP which if i
restrict, would not be true in my website..

Warm Regards
Balasubramanian
Bob Hope  - "I have a wonderful make-up crew. They're the same people
restoring the Statue of Liberty."

P.S: Its surprising that you've addressed me by my full name. people
generally dont take the pain of typing (or pasting) all 15 characters and
that too with proper spelling.. Ha. ha.. just a joke..

On Tue, Feb 10, 2009 at 12:57 AM, Nate Klingenstein <ndk at internet2.edu>wrote:

> Balasubramanian,
> It's pretty difficult to answer your question for a couple reasons.
>
> First, there is a very large gradient between secure and insecure, and
> every application falls somewhere on that spectrum.  You really need to
> assess how much security is really necessary so you can balance security
> with usability.  There are a lot of attempts out there to build frameworks
> to help you analyze the quality of authentication and attributes your
> application needs.  You can probably find one.  Here is an old example for
> the U.S. Federal government:
>
> http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf
>
> Second, there really is no way to gauge the security of any individual
> OpenID transaction because there is no trust framework.  You're relying on
> the OP to do good identity-proofing, but there's incredible variability in
> OP's.  Some just require a non-bouncing email, while others do identity
> proofing.  Some do better authentication, like Kevin mentioned, and others
> are plaintext passwords over HTTP.  There are some attempts at addressing
> this variety, like PAPE, but without any trust framework, you're still
> ultimately relying on the OP to just be honest.  I hope upcoming work in the
> OpenID community will build support for trust frameworks.
>
> Hope this helps,
> Nate.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20090210/90531e10/attachment-0002.htm>

More information about the security mailing list