Users on Public Computers

Johannes Ernst jernst+openid.net at netmesh.us
Tue Nov 7 02:04:44 UTC 2006 

I continue to believe that we need single-sign-out functionality, in  
particular once OpenID moves up the stack for higher-value transactions.

Some people have made the case that that is undesirable and/or  
impossible; I beg to differ.

Having automatic authentication against the IdP is quite similar to  
not having a password on the identity at all, in that it reduces the  
confidence that we know the real-world identity of the entity/user at  
the other end. In my view, there's nothing wrong with that, but we do  
need to be able to convey that to relying parties in a way that  
cannot be easily attacked.



On Nov 6, 2006, at 16:41, Joshua Viney wrote:

> One question re: User Experience and single-sign-on comes to mind:
>
> How do we treat users who are accessing their IdP and Relying  
> Parties via public computers?
>
> Use Case:
> Good User at public library wants to leave a comment on Blog X
> Blog X requires the person to authenticate via OpenID
> Good User enters their OpenID and successfully authenticates via  
> email and password (or whatever) (and authorizes the RP ('realm' in  
> 2.0) if necessary) at their IdP
> Good User is redirected to Blog X signed in
> Good User leaves comment
> Good User signs out of Blog X (if sign out is even an option)
> Good User then leaves the public library and goes shopping
> Evil User jumps on computer and proceeds to leave comments at any  
> number of OpenID enabled blogs using Good User's OpenID (he saw it  
> while looking over Good User's shoulder, or he checks any sites  
> that Good User did NOT sign out of that might display his OpenID)
> Evil User, uses Good User's signed in IdP session to sign into any  
> number of sites, etc
>
> Outcome: Good User's reputation is ruined and his/her OpenID is  
> banned from a whole list of Relying Parties. Good User then blames  
> their IdP, the Relying Parties and OpenID as a technology and tells  
> everyone he/she knows not to use it blogs about it and initiates a  
> press release.
>
> It may be easy to pass this off as an implementation specific issue  
> or as "user error", but this use case is somewhat likely for 2  
> reasons:
>
> 1. A user's OpenID URI is not necessarily a private thing  
> (obscurity is not security anyway)
> 2. Users will be at least 1 site removed from their IdP while  
> accessing a Relying Party, and no one is use to signing out twice
> 3. It is very very likely that IdP's will use some type of  
> "remember me" functionality
>
> One solution to consider would be a global sign-out feature on  
> relying party sites that signs users out of their IdP as well.  
> Another solution would be to make very specific recommendations  
> about messaging users who may be using public computers.
>
>
>
> Josh Viney
> http://www.eastmedia.com -- EastMedia
> http://identity.eastmedia.com -- OpenID, Identity 2.0
>
>
>
>
> _______________________________________________
> user-experience mailing list
> user-experience at openid.net
> http://openid.net/mailman/listinfo/user-experience

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-user-experience/attachments/20061106/590ebad1/attachment-0002.htm>

More information about the user-experience mailing list