[OpenID] Open - opacity vs. restrictions

SitG Admin sysadmin at shadowsinthegarden.com
Fri Apr 3 21:53:55 UTC 2009


>Then See if - WITHOUT bilateral agreement - the OP subscriber ( i.e. 
>myspace user) can freely wander to that RP, without the prior 
>knowledge of a OP/Myspace administrator.
>
>Though the RP may CERTAINLY reject an assertion on the grounds that 
>the OP has insufficient trustworthiness (in the RP's eyes), it's 
>hardly "openid" that an OP may limit the blog sites where a given 
>op's  user may deposit his/her authenticated comment!?

I've been giving this some thought.

If my own (personal) OP, capable of making assertions about *my* 
Identity only, is hardcoded to die immediately on any request to 
speak with MySpace, does it matter that *I'm* the administrator and 
knew about it beforehand? Does it matter that I'm the "user", 
effectively, and this effect would qualify as one of my settings?

Expanding from this, then, is the lack of openness in such 
implementations (when dealing with OP's where at least one user is 
*not* also an administrator) because of the lack of freedom in which 
RP's an OP can be used with, or because of the lack of transparency 
about which restrictions will apply?

If the OP is "open" from the beginning about which RP's they make 
assertions for (or which ones they won't), enabling users to make 
informed choices about which of the competitors to make 
authoritative, is it still OpenID?

Switching one's headers to a limited-functionality OP before going 
into an area where passwords might be stolen may be preferable to 
asking one's OP to implement a temporary limit (or going with the 
ultra-high-security OP that can handle such things but is too strict 
for everyday usage), memorizing just one password for use during that 
time and knowing that damage from theft would be limited.

-Shade



More information about the general mailing list