[security] how secure is openid? advise pls..

[Chris Messina]

On Mon, Feb 9, 2009 at 5:53 PM, Nate Klingenstein <ndk at internet2.edu> wrote:

>
> Restricting users to only "some trusted OPs" absolutely breaks the core
> user-centric identity concept on which OpenID is built.
>
> Please re-read Balasubramanian's comments.  My response was, "yes, it does
> break one of the rules of thumb," with the addition that many other things
> are threatening those concepts today as well.
>

Replace "OpenID" with "email" and I think you get a clearer picture of the
answer to your question. Which email domains do you want to prevent users
using for signing up for an account?

Since most user accounts are as secure as someone's email account, I don't
think that support OpenID weakens or lessens that situation, in fact, if you
support SSL, you can improve it for your users — and provide them with a
means to have greater security — through the choice of a secure OpenID
Provider.

It isn't that OpenID is or isn't more secure in and of itself. In
combination with other technologies, it can change the threat model for user
accounts on the web, moving away from usernames and passwords that are
treated like confetti and strewn about across the web to one where an
individual is incentivized to protect their identity/OpenID.

In any case, familiarizing yourself with how OpenID works is critical. From
a convenience perspective, I think preventing your users from having to
create yet another username and password is certainly a benefit and worth
considering as well.

Chris

-- 
Chris Messina
Citizen-Participant &
 Open Web Advocate-at-Large

factoryjoe.com # diso-project.org
citizenagency.com # vidoop.com
This email is:   [ ] bloggable    [X] ask first   [ ] private
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20090209/25cee386/attachment-0002.htm>