Ben Finney wrote:
I invite anyone interested in knowing how the distinct areas of identity, trust, and security intersect with the OpenID system, to research the available documentation.
...except openid has serious issues with establishing identity in a secure manner. Especially if the server connects to your identity provider using http (seems to be common practise as far as I can tell). Using http makes MITM attack easy. Just redirect requests to an identity provider that always confirms the user's identity. Even if https is used, does the server validate the CA certificate? I have seen openid server software that doesn't do any checking of the SSL certificate (yes there is a bug report on the issue).
Even then it is possible that a malicious website will redirect you to a website that looks identical to your identity provider's website, asks for you password, and then steals it.
Sure, an alert user will notice this; Unfortunately many users would not notice.
If you can't establish identity in a secure manner, you can't establish trust, authorisation, or security in a secure manner either.
The key issue seems to be that openid wasn't designed from the ground up to be secure; for a secure solution you need something like Shibboleth <http://en.wikipedia.org/wiki/Shibboleth_(Internet2)> <http://shibboleth.internet2.edu/> (which I have been told *is* more secure) or maybe even a solution that requires web browser client support (e.g. Kerberos or something like Kerberos).
-- Brian May <brian@microcomaustralia.com.au>