If you use your email account for account recovery your email provider can
get access to all of your other accounts. That is one of the largest
security problems.
Surely the problem is not that the provider can do it (yes, they can,
but how often do they?), but that anyone you give your password away
to can do it.
The larger (class of) problem is that any 3rd party you trust can go bad.
Controlling your own password is something you have power over, and
can probably manage regardless of whether 3rd parties are actively
cooperating. But you don't have ANY power over 3rd parties, and their
susceptibility to corruption is itself a variable that you have no
control over. OpenID tries to strike a balance between unique
passwords (to ensure no RP can pose as the user to any other RP),
which are difficult to memorize, and account individuality (where
users exist apart from their SSO OP) by enabling delegation, but how
many users actually know this feature exists, much less have it
operating that way? Especially with so many sites trying to become
OP's (when, really, all they need is an added field in the interface
for people who can't upload/modify their own HTML documents to set
OpenID headers). You'd think that the risk of employee malpractice
would have more sites encouraging users to look *elsewhere* for their
OP needs, not just be averse to the whole idea.
It might be interesting to compare how many people adopted PGP (an
identity solution without 3rd parties) at various points along its
release timeline, to how many users of OpenID adopted delegation.
-Shade
_______________________________________________
security mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-security
