OpenID Security & Privacy
The goals of this session were:
- Start a dialog about the state of Security and Privacy in the OpenID
- Discuss the concerns that are unique to OpenID
- Talk about what things are being done and/or can done
- Steve Osborn - Vidoop LLC
- Sam Alexander - Vidoop LLC
- Jim Pravety - Adobe
- Dennis Hamilton
- Allen Tom - Yahoo
- Jay Sullivan - Mozilla
- Dan Nelson - FBS Systems
- Marty Schleiff - Boeing
- Mike Beach - Boeing
- Andrew Nash - PayPal
- Shawn Geraghty - Trufina, Inc.
- Trent Cameron - Utah State Univ
- Masaki Nishitani - NRI
Steven Osborn asking what the concerns are.
Sam Alexander - gives the promises. In general users and consumers don't care about privacy & security, they just want it to feel safe - example of confidence vectoring (Facebook). Proposed a banking analogy with regard to personal information. Use other examples, such as like approved direct deposit/withdrawals/billpaying.
Example: OpenID provider keeping history of authorized ins against various Relying Parties, so it's something new, because it is not just Relying Parties can track, disclose, etc.
Sam says: How do users get control of this, how do they understand what is happening and the consequences of the choices they are offered?
Getting questions about all of the qualities related to privacy and security.
Phishing - resistant solutions coming up, to secure the ease-of-use. Holes getting plugged in new and innovative ways.
Seatbelt an example of phishing resistant solution.
One is to never have a shared secret that can be reused.
User education is a huge issue.
Consumer's IP has got to be invisible get, ...
Discussion about IDPs keeping transaction histories, need for audit abilities but that is expensive to discovery and revelation of the history information.
Questions about what RP you are talking to. As a RP, do I accept every IDP on the Internet?
MIke Beach: Big questions on legal issues - if there is liability to lawyers and others are reluctant. Liability question.
Allen Tom: Who is at fault if an ROP is hacked,the IDP is hacked, etc ? How do we not freak the lawyers out.
Example of Amazon.com - contrast with physical goods and security and the digital article (like MP3 downloads).
For the RP - isn't there some way to qualify the claims from an IDP in order to accept them or wind up being selective about IDPs only. Consumer may want to not use an IDP for some transactions (e.g., high value)
Fundamental questions may be at protocol level, and OpenID might just not ...
Critical: How does an IDP function an what can be trusted is a big question.
Bounding the problem is really important.
Value of OpenID is convenience. Discussion about hacking someone's email. Discussion - if filed by OpenID but the problem are not about OpenID.
OpenID is like SSO to the degree that users can be indirectly authenticated as they move from RP to RP.