[security] how secure is openid? advise pls..

[Manger, James H]

Nate, please accept my apologies for mistaking you for Nat (whose is a board member); and similar apologies to Nat.

Nate,
It looks like we both agree that whitelisting OPs “breaks” OpenID to some degree. I didn’t want that “break” to be so easily (even if reluctantly) accepted for what appeared to be a “general” consumer Internet web site (not banking, health, corporate…).


James Manger<http://peoplesearch.in.telstra.com.au/peoplesearch/UserDetail.aspx?EmployeeNumber=3799878>
James.H.Manger at team.telstra.com<mailto:James.H.Manger at team.telstra.com>
Identity and security team — Chief Technology Office — Telstra


________________________________
From: Nate Klingenstein [mailto:ndk at internet2.edu]
Sent: Tuesday, 10 February 2009 12:53 PM
To: Manger, James H
Cc: security at openid.net; Balasubramanian G
Subject: Re: [security] how secure is openid? advise pls..

James,



NO!





Restricting users to only "some trusted OPs" absolutely breaks the core user-centric identity concept on which OpenID is built.

Please re-read Balasubramanian's comments.  My response was, "yes, it does break one of the rules of thumb," with the addition that many other things are threatening those concepts today as well.


That must not be done lightly. It should not be the first suggestion (particularly from an OpenID board member) without knowing the specifics of a particular web site and its users. Such restrictions might be appropriate for some specialist Relying Parties, but they should be the exceptions, not the norm.

I'm certainly not a board member, was not nominated, would be flattered but refuse to serve if nominated, and wonder whether you meant someone else.

Take care,
Nate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20090210/a6f4d022/attachment-0002.htm>