OpenID: Trust and Liability

My co-worker (Sam) and I lead a session at IIW called “OpenID Security and Privacy” and as the conversation evolved it occurred to me that even though these issues exist in OpenID today, the real hurdles are going to be trust and liability.

There are many companies and products doing things to improve security for OpenID. Verisign’s seat-belt plugin is excellent at thwarting phishing. Vidoop defeats keylogging and automated attacks. The sad truth is your OpenID login is already likely to be more secure than your bank’s login. There are solutions to the current security issues facing OpenID. Some of the solutions are already available; others will take some time to implement and may require your browser to be a bit smarter, but we know how to solve these problems.

There seems to be a lot of talk about trust between identity providers and relying parties. Quite a few people have suggested that there needs to be some method for a relying party to assert some level of trust with any given identity provider. Suggested methods for doing so are Idp certification or some sort of rating/reputation system. There is a lot of resistance to either of these things because it makes it hard for user’s from implementing their own Idp.

Many potential OpenID reliers have a lot of trouble with the fact that anyone can roll their own Idp. The argument is that the Rp’s shouldn’t trust every Idp out there, because evil-bad-guy can create his own Idp. This is really only true for Rp’s who don’t already have an existing relationship with the user (typically low risk transactions). Most high risk transactions between an Rp and an end user there is already an existing relationship. For example, you already have a bank account with your bank. So when you go to log into them with your OpenID it’s really not important that they trust your Idp, because the first time you logged in with that OpenID they can verify you are who you say you are via some other channel. So the real important trust relationship is between the user and the Idp. It’s important that the user select an Idp they can trust, who provides good security for their identity. The thing is user’s do this sort of thing every day. User’s decide who to trust with their identity every time they are online. They choose to trust PayPal, Amazon, eBay with their bank account information. User’s already make decisions about who to trust with their identity.

The real problem is liability. What happens when evil-bad-guy signs into Jane’s bank account with with her OpenID and steals all her money? Is the bank at fault or is the Identity provider at fault for falsely identifying the user? Companies have a really hard time buying into a technology when they don’t have someone to sue when things go wrong.