[OpenID] OpenID and trust

James A. Donald jamesd at echeque.com
Mon Jan 15 03:14:23 UTC 2007


On 13-Jan-07, at 1:55 AM, Marcin Jagodzin'ski wrote:
 > I don't quite get it. How can RP get information about
 > OP's? I can write an spam-OP which will always return
 > information, that user was authenticated using eg.
 > token (even if it's not true).

Spammers can create any number of spam-OPs

If they do, then relying parties can use the usual
measures - for example a blog can auto whitelist any
commentor who has had a comment approved, and also auto
whitelist his OP, blacklist known spammer OPs, and
graylist all unknown OPs.

People with a whitelisted OP get their comment displayed
immediately, but flagged to be examined by moderator,
people with a graylisted OP get their comment held for
moderation, people with a blacklisted OP get 404ed





More information about the general mailing list