Cutting throught the backlog of last couple of weeks, I thought I might publish my opinion on Doug Kaye's view that SSO single point of failure weaknes diminishes consumer protection. My original email, only slightly edited for wording and grammar, follows.
Doug, I think that the attack you are talking about is indeed a weakness. But as Scott noticed, the severity of the risk depends on specific deployment conditions. Technical issues are apparent - type of data, applications and size of circle of trust, but what is IMHO important is legal context. The argument that the fact that Liberty can be broken means weakened consumer protection is not valid without considering both technical issues of the Liberty protocol, specific site deployment and the legal context in which they exist. Only when you have terms and conditions in place, you can find out who bears the risks. It can be customer, it can merchant, it can be a third party. For example when using a credit cards unapproved purchases over 50 $ are not the responsibility of a customer. Another example could be a recent ZDNet case who were forced to pay a compensation to their customers whose card numbers were stolen from ZDNet website, because the company had promised reasonable protection in their T&Cs.
Doug's response to this was that vendors will not be inclined to promise to cover the risks in their Ts&Cs in the same way as the bank must do and that customers will not notice this in the "small print". This lead me to another late night email.
This issue, at its core, is very similar to the one with Palladium and hardware built-in DRM. SSO can provide benefits to users but at the same time it can (and probably will), as a new technoology, be used by a vendor to take away some part of the legal rights from the users. In the case of DRM it would be content vendors "stealing" fair-use rights from users, in Liberty case it would be web service providers transfering additional risk associated with a SSO to a user. Because in both cases no other technical solution providing the new desireable features exist, you can only argue either that the technology should be banned or that the issue is address on legal/regulatory level (i.e. the laws taking the liability from the customer).
Personally, I believe that the right way to resolve this should be campaigning/shouting for the regulatory/consumer-protection solution. At least, this does make sense here in Europe. I don't live in the US and am not a lawyer so I am not sure if it is reasonable within American legal/political culture.
Don't know if this makes any sense to you. I find it strange that people often argue on technology grounds when the real issues are IMHO legal and/or political.
7:10:30 PM 
