Charles, It is true that almost all assertion based protocols require that a RP and user have some trust in the OP/IdP. This is equally the case for SAML and managed Info-Cards.
Some thing like PKI and personal info-cards allow the user to have complete control over the authenticator. There are two basic options: 1 increase the trustability of the OP/IdP 2 Use multiple IdP simultaneously and prey. I don't personally believe that option 2 is all that practical or gives much more security for the average user. Given that openID is only secure enough as a protocol for ICAM LoA 1 (pseudonymous protecting no PII) the most practical path is to provide more trustable OP/IdP. That said, with some of the v.Next changes openID will become appropriate for higher LoA. I don't think Gov or Banks are going to be comfortable with multi Auth solutions. They are going to insist on trusted OP/IdP. You can have a look at the ICAM site to see where the US Gov is going. http://www.idmanagement.gov/drilldown.cfm?action=openID_openGOV I can see binding more than one openID to a RP to allow for recovery, however that needs to be balanced against doubling the attack surface. Regards John Bradley On 2009-12-07, at 9:47 PM, Shearer, Charles Dylan wrote: > I have some concerns about OpenID, and I would like to see what those > involved think about them. > > It seems to me that, regardless of how OpenID is deployed, it is always > possible for an OpenID provider itself to authenticate with a relying party > as any user by forging a request to authenticate using the user’s identifier. > This is because a relying party cannot tell the difference between a user > attempting to log in using his or her identifier, and the user’s OpenID > provider spoofing that user to gain access to whatever services the relying > party provides to that user. This seems to require that both users and > relying parties put a lot of trust in OpenID providers: for example, if I > used my OpenID identifier for online banking and email, my OpenID provider > could easily access my email and bank account. > > Additionally, even if we assume that OpenID providers will not log into > users’ accounts, I still cannot see how OpenID could provide nonrepudiation > regarding messages sent to a relying party by an authenticated user: for > example, if I authenticate with my bank using my OpenID identifier and then > use the bank’s “bill pay” service to pay a bill, there’s no way the bank can > prove that I ordered that payment because it is possible that someone working > for my OpenID provider logged in as me and ordered it. > > Does anyone disagree with my analysis? > > Dylan > _______________________________________________ > security mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-security
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ security mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-security
