[OpenID] Rule of thumb
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Fri Jul 13 19:53:47 UTC 2007
Hi Eric,
Eric Norman wrote:
>
> Methinks there's an awful lot of RPs that would certainly
> prefer not.
I don't suppose this to be forced on anybody! But as anybody can chose
to add CAs to the browser or one add various white and black lists to
the mail server, one could opt to make it a requirement or not. I'd view
it as a service, confirming the adherence of an IDP to certain standards
and rules (See the various extensions in draft right now).
> They would view this as the fox guarding the
> henhouse, to use an old adage.
>
It depends who is going to be the fox....;-)
Except what's wrong with the community taking care of this?
> After all, they are the ones with something at risk. So
> they're not going to listen much if the OpenID community
> starts telling them how to do their risk management. And
> rightly so.
I for one can't make use of OpenID in it's current form, except if
strictly trusting only our own IDP. I'm sure there are many more out
there hesitating to adopt OpenID for this very reason. An RP in the
OpenID world is usually a web site, not a person! Which makes accepting
an IDP not a case-to-case based decision, but rather accept all or
nothing. Nor do I have the intention to screen every new incoming IDP
upon each request.
Perhaps you have a better suggestion to me...?
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: startcom at startcom.org
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070713/98438708/attachment-0002.htm>
More information about the general
mailing list