[OpenID] openid query

George Fletcher gffletch at aol.com
Fri Feb 29 07:38:54 PST 2008 


Martin Paljak wrote:
>
> On Feb 29, 2008, at 3:29 PM, George Fletcher wrote:
>> As Nat says, reputation can help significantly (provided you "trust" the
>> reputation service ;) ). Or as others have mentioned, white lists. Of
>> course, you could also design the RP with increasing levels of service
>> based on the RP's "trust" of the customer. So the customer has to "earn
>> some level of trust" in order to get access to increasingly valuable
>> services. Whether customers want to wait through that process is another
>> matter.
>
> There are two types of websites roughly:
> public ones (yourcoolweb2app.com)
> closed ones (yourintranet.com)
>
> To make use of OpenID, both organizations first have to learn to trust 
> their clients.
> This of course assumes that users make smart decisions.
>
> Public websites should be happy with whatever credentials the user 
> wishes to present and just be thankful that the user visits them. You 
> should make blacklists only to protect users from Really Bad Providers.
>
> Private websites, if they go for OpenID, need to trust their clients 
> as well. If I say that I want to get access to my stuff with OpenID 
> example.com, I probably am very sure about it. Why should somebody 
> doubt my choise? Most probably this type of websites use whitelists to 
> use providers that are known to be Good Enough.
>
>
> OpenID is great for trust actually. If we take the amount of 'trust' 
> one person can normally handle and assume it is finite (like Dunbar's 
> number), it is much-much easier to trust a handful of OpenID providers 
> you use to behave correctly than it is to trust all those hundreds of 
> sites you use to handle your password and private information in the 
> right way. The same goes for reputation services.
>
> Do I trust the 50+ 'authorities' pre-selected by somebody else for me 
> in Firefox? I doubt it. Do I trust the OpenID providers I've chosen to 
> use? More likely.
>
>
> m.
Hmm... doesn't this presume that all users are reputable and 
conscientious? As I see it there are 3 parties involved in the 
transaction: the user, the OP and the RP. There is some trust/risk 
factor associated with each relationship.

 From the user's perspective they "trust" the OP (either because they 
want to spam and so are using an OP that makes "false assertions", or 
because they trust the OP to protect their authentication credentials 
and represent them correctly on the web). The user may or may not trust 
the RP, but by logging in they are making some level of trust/risk 
assessment.

 From the OP's perspective the user represents some risk/value metric 
(too many "bad" users and the OP gets blacklisted). The OP protects that 
risk by potentially verifying email or cell number, supporting PAPE and 
other strong authentication methods, etc. The OP also has a risk/value 
metric with the RP though this is probably not super important right 
now. I can envision a smart OP warning me about authenticating to an RP 
that it some determined is not "trustworthy".

 From the RP's perspective, they have a risk/value metric on the user 
(e.g. Is the user going to be a good citizen of my community? Are they 
going to abuse the resources I provide? How much effort do I want to put 
into detecting "bad apples"?). The RP also has a risk/value metric on 
the OP (e.g. When the OP says they support the PAPE extension do they 
really do it?). Finally the RP has a risk/value metric on the 
resource/service they provide.  From a business perspective I don't 
believe it's wise to blatantly "trust" the user if the resource/service 
is highly valuable (e.g. moving funds between accounts). Most users 
today don't have the sophistication to make good decisions.

So if I'm a public website just providing a low risk resource (e.g. 
content, simple social media, etc) then it doesn't really matter who the 
user is, their use of the site is more valuable than the risk and with 
some simple community policing features there should be no worries.

However, if I'm a public website providing a resource/service that has a 
high risk metric then I care about the user and the OP that is vouching 
for them.

Thanks,
George

More information about the general mailing list