[OpenID] Trust + Security @ OpenID
Brendan Taylor
whateley at gmail.com
Sun Jul 8 15:41:39 UTC 2007
On Sun, Jul 08, 2007 at 01:59:02AM +0300, Eddy Nigg (StartCom Ltd.) wrote:
> like self-signed certificates. A relying party can choose to trust them
> but nothing has been verified or guarantied in any form (not even the
> integrity of the authentication process). For me as relying party
> running a forum or web log, this is not really assuring...not to speak
> about other potential login facilities.
This is something I've never understood - why does an RP need to trust an
OP? If this is about spam, then surely it makes more sense to determine
trust per-user (and possibly blacklist OPs).
I especially don't understand why the RP cares about "integrity of the
authentication process". Surely it should be the user's responsibility
to select an OP with the security they require.
I think this is going in the wrong direction; I would be very
disappointed if OpenID lost its decentralization, and I'm not sure why
people think it needs to.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070708/5bdd7f09/attachment-0002.pgp>
More information about the general
mailing list