From a recent email to the openid security list that I made in response to this question:
(The) issue I have is that this project requires more securitythen something like a blog and I'm wondering if it's appropriate to allow people to use OpenID to access the system. My concern is that a user who doesn't know what they are doing can sign up with an identity provider who is not as secure as I would like.
This is going to be a common question. (This blog is the response i sent to the openid-security email list):
I think the real question is not one of "high security" or not - its about risk tolerance, exposure and mitigation
If you don't care about a user's losing control over their OP, and there's no real exposure for you, then you shouldn't care. I think this is the openid canonical use case - and motivates the "openid spirit" of openness and "anybody can play".
If you are a bank and you are very exposed if someone else gets into a user's account (by regulation, or by market forces which demand you eat the cost of fraud), then perhaps you need to take a stance which is not so in line with the "openid spirit".
The fact that a certain use of openid (the protocol) is against the "openid spirit" and therefore shouldn't be done with openid is a mistake. In other words, if you can't live with the scriptures of the "openid spirit" right now, I don't think you should abandon "openid" the protocol.
You may find that you need to start with a whitelist (or other 'OP-limiting' option) and then determine how/if you can deal with the risk exposure of opening up to any OP (through means like insurance or other risk mitigation methods). It may be that you end up using openid as a protocol only within a small universe of openid providers - even that is a better situation than using something less open and lightweight, IMHO.
Using the openid protocol will give you a path in the future to open up and integrate with the outside world, if that's even a remote possibility... there'll be ton of innovation around openid and authentication and I'd hate to see people run away because the "openid spirit" is not compatible with the business realities they are operating in today...
Houses and cars are not very cheap and not everyone can buy it. Nevertheless, home loans was created to support different people in such hard situations.
Posted by: Marie22Golden | June 17, 2011 at 07:27 AM