Part of a series on Sun’s OpenID@Work initiative; see the introduction for more context.
Trust is always an issue on the web. People don’t usually even think about it, but they trust the DNS server to point their browser at the right web site when they click on a link, they trust the web server to serve up the right page, they trust their online bank to not broadcast their credit card numbers to the world, etc. etc. We as end-users can’t do anything about most of those, but there are some things that we can do, such as not giving banking details to sites that don’t look like our bank’s, or only giving out our social insurance numbers when we really have to. Knowing some of the issues and potential problems is important — you want to verify as much as possible whether your trust in the site is justified. So you don’t click on links in emails that don’t quite look right, and you check whether the little “locked” sign is present (assuming your browser hasn’t been hacked). Lots of people don’t trust internet systems with their personal data at all, deciding that the advantages of online interactions are outweighed by the potential damage if something goes wrong (there’s that risk assessment again that I talked about in the Business Purpose posting of this series).
So what’s this got to do with OpenID? Quite a lot, actually.
OpenID is an untrusted protocol, at least for version 1.1, which is the one we deployed on the OpenID IdP, and it’s likely to be true for version 2.0 as well, although that isn’t finished yet. As the OpenID web site says: This is not a trust system.
. Among other things, you don’t know anything about the site you’re logging into, it might be genuine, it might be a phishing site, it might be some other rogue site. And there’s no way currently for the Identity Provider to know. In other words, just because you can log into it with your openid identifier, doesn’t mean anything about what that site might do with any data or information you might give it. Which is one good reason why Sun’s OpenID IdP does not hand over information from the user’s account to the consuming site (relying party) unless the user agrees to it. You’re the person logging in, you can decide whether to trust that site with any information, whether that’s your openid identifier, or your name (possibly fake) or email address. And Sun’s system doesn’t ask for or store your date of birth, so if some site wants it (why would always be the right question to ask), feel free to answer correctly or with some completely random date (in fact, many privacy advocates say you should never tell any web site your real date of birth if there’s any way of legally avoiding it). Even handing over your openid identifier to some site can cause problems, if they then use it for purposes you didn’t expect and don’t agree to. Since this is an opt-in system for personal use, Sun wouldn’t bear any liability if you did fall prey to a phisher or other rogue while using your Sun openid identifier.
The upshot of this is that OpenID shouldn’t be used for what are called high-value transactions, at least in its current incarnation. High-value transactions are things such as logging in to your banking system, or releasing sensitive personal information such as your medical history. Typing “openid phishing” or “openid attacks” into your favourite search engine will give you some idea of the sorts of attacks that are currently possible. Some of these will be relatively easy to mitigate, and some aren’t really worth mitigating for the sorts of use cases that OpenID was designed for, as they would make the resulting protocol much harder to implement and deploy. And let’s face it, the idea behind OpenID was to have something easy and lightweight to deploy that meets some, but not all, authentication use cases.
Related articles include Steven Nelson’s So you wannabe an OpenID provider?, Eve Maler’s A Tincture of Trust, and Yvonne Wilson’s Trusted Sources of Information. Simon Willison has a slightly different take in Designing for a security breach. And if you want a more formal definition of trust and some of the issues around it, try Trust Modeling for Security Architecture Development.