[security] how secure is openid? advise pls..

Tue Feb 10 16:57:08 UTC 2009

James,

I am totally in favor of enabling consumers to make their own choice of
OP and who they trust. 

If we are considering low or "zero" value transactions then RPs that are
utilizing these openids should utilize the broadest set of OPs possible.
However, the identity space is not uniform - not even the consumer
identity space. There are in fact large swathes of relying parties that
have different needs.

The problem is that while consumers are free to choose whatever OP they
want, a whole range of RPs are not free to accept just any identities
produced by any OP. At the farther end of the spectrum, If you are a
financial institution with "know your customer" regulations or a health
care provider with HIPAA will significantly restrict the set of OPs you
may be able to rely on. Given that an OP is providing an authentication
service and attesting to the consistency of the identity and user that
is being presented ( leaving other KYC issues aside), the effectiveness
with which an OP is run and how that figures into your risk processing
is a completely valid concern.

For merchants or other RPs that fit somewhere through the middle of the
identity continuum, they will make choices of OPs based on their own
fraud/risk/security criteria. I don't see how we can say we want them to
use OpenID without allowing the RPs as much freedom to make choices
about appropriate OPs based on the identity proofing, management,
authentication, risk analysis or whatever else is required for the RP
operate successfully. 

Engagement with Relying Parties is one of our bigger challenges - part
of the reason is that we need to provide appropriate support for them in
the area of trust - unless we decide as a community that we want OpenID
to be restricted to a subset of relying parties.

Even in Balasubramanian's case operating a "non-profit" he is making
risk based assessments and trying to work out appropriateness of OpenID
as a solution for his needs. He is dealing with standard issues relating
to transaction velocity and potential account spoofing in various ways.
These are totally valid concerns that we do need to openly discuss and
address. 

The merits and values (and even potential enhancements to OpenID) must
be open to discussion or we are in danger of becoming a religious
debate. It should not matter if Nate is Nat or Nate, a board member or
not. If this is an open community then lets just talk about the issues
with some level of respect.

To be quite clear (as I am sure this has potential for
misinterpretation) - I am totally supportive of the user centric aspects
of OpenID. However, if we want to be effective in dealing with even
moderately complex uses of OpenID moving forward, these issues of
security and trust need to be addressed.

--Andrew 

________________________________

From: security-bounces at openid.net [mailto:security-bounces at openid.net]
On Behalf Of Manger, James H
Sent: Monday, February 09, 2009 6:53 PM
To: security at openid.net
Subject: Re: [security] how secure is openid? advise pls..

Nate, please accept my apologies for mistaking you for Nat (whose is a
board member); and similar apologies to Nat.

Nate,

It looks like we both agree that whitelisting OPs "breaks" OpenID to
some degree. I didn't want that "break" to be so easily (even if
reluctantly) accepted for what appeared to be a "general" consumer
Internet web site (not banking, health, corporate...).

James Manger
<http://peoplesearch.in.telstra.com.au/peoplesearch/UserDetail.aspx?Empl
oyeeNumber=3799878>  
James.H.Manger at team.telstra.com <mailto:James.H.Manger at team.telstra.com>

Identity and security team - Chief Technology Office - Telstra 

________________________________

From: Nate Klingenstein [mailto:ndk at internet2.edu] 
Sent: Tuesday, 10 February 2009 12:53 PM
To: Manger, James H
Cc: security at openid.net; Balasubramanian G
Subject: Re: [security] how secure is openid? advise pls..

James,

NO!

Restricting users to only "some trusted OPs" absolutely breaks the core
user-centric identity concept on which OpenID is built.

Please re-read Balasubramanian's comments.  My response was, "yes, it
does break one of the rules of thumb," with the addition that many other
things are threatening those concepts today as well.

	That must not be done lightly. It should not be the first
suggestion (particularly from an OpenID board member) without knowing
the specifics of a particular web site and its users. Such restrictions
might be appropriate for some specialist Relying Parties, but they
should be the exceptions, not the norm.

I'm certainly not a board member, was not nominated, would be flattered
but refuse to serve if nominated, and wonder whether you meant someone
else.

Take care,

Nate.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20090210/163199f3/attachment-0002.htm>