On 2/20/07, Dmitry Shechtman <[EMAIL PROTECTED]> wrote: > You may use server whitelisting to require all logins to originate from e.g. > providers supporting SSL/TLS for login, although I believe this would be > against the spirit of OpenID.
IMO, the spirit of OpenID is to accept sign-ins from anywhere, *unless* you have a good reason not to. My advice would be to make a list of who would be affected by different security decisions on the part of OpenID providers, and make sure that you're taking care of each of those cases in your implementation. If the exposed parties are solely end users, you could have a white-list of providers that you trust, and have a click-through page describing what kind of exposure the users would open themselves up to if their provider does not follow the minimum guidelines. Ideally, you'd be able to whitelist the providers for most of your users, and still let others play. If you decide that the exposure is too great or the decision is too complicated for end-users, you can get by with a whitelist of OpenID providers who you do trust. I think that the biggest questions that you have to answer are: * what happens if the user loses control of their URL? * what kinds of information are tied to that account that would get exposed? * who is liable if someone else takes action on the part of the user? There are other options, such as using captcha, if it turns out your concern is only about bots. It would be good if we could try to get a full list of this kind of question, and maybe make a flow-chart or similar to help sites decide what kind of policy they should have w/r/t accepting OpenID users. Hope that helps, Josh _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
