James, I am totally in favor of enabling consumers to make their own choice of OP and who they trust. If we are considering low or "zero" value transactions then RPs that are utilizing these openids should utilize the broadest set of OPs possible. However, the identity space is not uniform - not even the consumer identity space. There are in fact large swathes of relying parties that have different needs. The problem is that while consumers are free to choose whatever OP they want, a whole range of RPs are not free to accept just any identities produced by any OP. At the farther end of the spectrum, If you are a financial institution with "know your customer" regulations or a health care provider with HIPAA will significantly restrict the set of OPs you may be able to rely on. Given that an OP is providing an authentication service and attesting to the consistency of the identity and user that is being presented ( leaving other KYC issues aside), the effectiveness with which an OP is run and how that figures into your risk processing is a completely valid concern. For merchants or other RPs that fit somewhere through the middle of the identity continuum, they will make choices of OPs based on their own fraud/risk/security criteria. I don't see how we can say we want them to use OpenID without allowing the RPs as much freedom to make choices about appropriate OPs based on the identity proofing, management, authentication, risk analysis or whatever else is required for the RP operate successfully. Engagement with Relying Parties is one of our bigger challenges - part of the reason is that we need to provide appropriate support for them in the area of trust - unless we decide as a community that we want OpenID to be restricted to a subset of relying parties. Even in Balasubramanian's case operating a "non-profit" he is making risk based assessments and trying to work out appropriateness of OpenID as a solution for his needs. He is dealing with standard issues relating to transaction velocity and potential account spoofing in various ways. These are totally valid concerns that we do need to openly discuss and address. The merits and values (and even potential enhancements to OpenID) must be open to discussion or we are in danger of becoming a religious debate. It should not matter if Nate is Nat or Nate, a board member or not. If this is an open community then lets just talk about the issues with some level of respect.
To be quite clear (as I am sure this has potential for misinterpretation) - I am totally supportive of the user centric aspects of OpenID. However, if we want to be effective in dealing with even moderately complex uses of OpenID moving forward, these issues of security and trust need to be addressed. --Andrew ________________________________ From: [email protected] [mailto:[email protected]] On Behalf Of Manger, James H Sent: Monday, February 09, 2009 6:53 PM To: [email protected] Subject: Re: [security] how secure is openid? advise pls.. Nate, please accept my apologies for mistaking you for Nat (whose is a board member); and similar apologies to Nat. Nate, It looks like we both agree that whitelisting OPs "breaks" OpenID to some degree. I didn't want that "break" to be so easily (even if reluctantly) accepted for what appeared to be a "general" consumer Internet web site (not banking, health, corporate...). James Manger <http://peoplesearch.in.telstra.com.au/peoplesearch/UserDetail.aspx?Empl oyeeNumber=3799878> [email protected] <mailto:[email protected]> Identity and security team - Chief Technology Office - Telstra ________________________________ From: Nate Klingenstein [mailto:[email protected]] Sent: Tuesday, 10 February 2009 12:53 PM To: Manger, James H Cc: [email protected]; Balasubramanian G Subject: Re: [security] how secure is openid? advise pls.. James, NO! Restricting users to only "some trusted OPs" absolutely breaks the core user-centric identity concept on which OpenID is built. Please re-read Balasubramanian's comments. My response was, "yes, it does break one of the rules of thumb," with the addition that many other things are threatening those concepts today as well. That must not be done lightly. It should not be the first suggestion (particularly from an OpenID board member) without knowing the specifics of a particular web site and its users. Such restrictions might be appropriate for some specialist Relying Parties, but they should be the exceptions, not the norm. I'm certainly not a board member, was not nominated, would be flattered but refuse to serve if nominated, and wonder whether you meant someone else. Take care, Nate.
_______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
