>As it currently stands, if a user is hosting his own identifier, >whether by delegation or by running his own OP, it becomes his >responsiblity to protect that identifier from being compromised by >others.
And we all know how tech-savvy and security-aware the typical user is ;) One of the selling (adoption) points for OpenID has been how easily you can set it up, just adding one or two headers to a page. If we have to add a caveat to this like "But you'd better be tech-savvy enough to understand and address these security risks or you'll be leaving yourself open to Identity theft and, as far as the rest of us are concerned, it'll be all your fault." we might be better off just not saying that. But if the typical (*not* tech-savvy) user has to rely on large-scale Identity providers to securely host their URI, the decentralization factor loses credibility, since those large sites effectively *own* all OpenID's between them, and only a small number of people have anywhere to go besides another of the large sites. Donning my Relying Party hat for a moment (and pretending that I'm already prepared to accept arbitrary users), this is very worrisome for letting users input anything that wouldn't be public anyway, and then grant them later access to this same data on the merit of nothing more than having the same URI (and since that's practically the basis of OpenID, this is a very bad thing to be worried about). Perhaps an informal polling of various places offering web services, to see how many are web 2.0 aware, and get an idea of their policy for how long (if ever) before old account names can be recycled? The latter could be used to help the Foundation decide on a safe time limit for RP's to automatically recycle unused URI's within, in their OP/RP best practices list. The former looks to be a herculean task (how many small-time hosting companies could there be?), and wouldn't matter if the companies practiced good username-recycling policies, but perhaps a space for volunteer-only efforts would strike a comfortable balance between enabling it and not wasting too much work on it? I see a flow of, 1) I go to the OpenID website and check a page in the wiki listing companies whose status we know. 2) I don't see the one I'm currently paying for service on that list, so I call mine up and question them. 3) I go back to the wiki and report my findings, or, if I don't have an OpenID yet, E-mail someone who does have one. The latter would only need a large sampling of various companies to fairly reflect the current state of affairs, the former would be an ongoing effort. Thoughts on either? -Shade _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
