[security] how secure is openid? advise pls..

[Manger, James H]

>> So would it be of some help, if i restrict the users to sign in
>> through some trusted OPs instead of any x y z??

> Unfortunately, the answer to both of your questions today is probably yes.


NO!


Restricting users to only "some trusted OPs" absolutely breaks the core user-centric identity concept on which OpenID is built.
That must not be done lightly. It should not be the first suggestion (particularly from an OpenID board member) without knowing the specifics of a particular web site and its users. Such restrictions might be appropriate for some specialist Relying Parties, but they should be the exceptions, not the norm.


Nate says "I'm a strong believer in protecting users from themselves".
An RP restricting acceptable OPs is a crude tool to that end. Encouraging many RPs to take that approach could well be counter-productive -- by hindering other parties (OPs) that are likely to be in a much better position than the RP to protect users from themselves.
A better approach for a general RP to "protect users from themselves" would be to recommend some known, good OPs to new users who don't have an OpenID.


The most important security issue for an RP is probably:
* finding an OpenID library that is well written, supports HTTPS identifiers, and is well supported (so any security bugs are found and fixed quickly) -- then keeping it up-to-date with any new patches;



James Manger 
James.H.Manger at team.telstra.com 
Identity and security team — Chief Technology Office — Telstra