Whitelisting would be an option, but I'm not sure I like it. The most secure identity provider can be the one hosted on your own box, so it seems a little odd that those are the ones I wouldn't allow. Do you mean that I could set up some kind of click-through and have it show up only if the user's IP is not on the whitelist? That could be an option.
On 2/20/07, Josh Hoyt <[EMAIL PROTECTED]> wrote: > On 2/20/07, Dmitry Shechtman <[EMAIL PROTECTED]> wrote: > > You may use server whitelisting to require all logins to originate from e.g. > > providers supporting SSL/TLS for login, although I believe this would be > > against the spirit of OpenID. > > IMO, the spirit of OpenID is to accept sign-ins from anywhere, > *unless* you have a good reason not to. > > My advice would be to make a list of who would be affected by > different security decisions on the part of OpenID providers, and make > sure that you're taking care of each of those cases in your > implementation. > > If the exposed parties are solely end users, you could have a > white-list of providers that you trust, and have a click-through page > describing what kind of exposure the users would open themselves up to > if their provider does not follow the minimum guidelines. Ideally, > you'd be able to whitelist the providers for most of your users, and > still let others play. > > If you decide that the exposure is too great or the decision is too > complicated for end-users, you can get by with a whitelist of OpenID > providers who you do trust. > > I think that the biggest questions that you have to answer are: > * what happens if the user loses control of their URL? > * what kinds of information are tied to that account that would get exposed? > * who is liable if someone else takes action on the part of the user? > > There are other options, such as using captcha, if it turns out your > concern is only about bots. > > It would be good if we could try to get a full list of this kind of > question, and maybe make a flow-chart or similar to help sites decide > what kind of policy they should have w/r/t accepting OpenID users. > > Hope that helps, > Josh > _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
