[OpenID] Open - opacity vs. restrictions
sysadmin at shadowsinthegarden.com
Fri Apr 3 21:53:55 UTC 2009
>Then See if - WITHOUT bilateral agreement - the OP subscriber ( i.e.
>myspace user) can freely wander to that RP, without the prior
>knowledge of a OP/Myspace administrator.
>Though the RP may CERTAINLY reject an assertion on the grounds that
>the OP has insufficient trustworthiness (in the RP's eyes), it's
>hardly "openid" that an OP may limit the blog sites where a given
>op's user may deposit his/her authenticated comment!?
I've been giving this some thought.
If my own (personal) OP, capable of making assertions about *my*
Identity only, is hardcoded to die immediately on any request to
speak with MySpace, does it matter that *I'm* the administrator and
knew about it beforehand? Does it matter that I'm the "user",
effectively, and this effect would qualify as one of my settings?
Expanding from this, then, is the lack of openness in such
implementations (when dealing with OP's where at least one user is
*not* also an administrator) because of the lack of freedom in which
RP's an OP can be used with, or because of the lack of transparency
about which restrictions will apply?
If the OP is "open" from the beginning about which RP's they make
assertions for (or which ones they won't), enabling users to make
informed choices about which of the competitors to make
authoritative, is it still OpenID?
Switching one's headers to a limited-functionality OP before going
into an area where passwords might be stolen may be preferable to
asking one's OP to implement a temporary limit (or going with the
ultra-high-security OP that can handle such things but is too strict
for everyday usage), memorizing just one password for use during that
time and knowing that damage from theft would be limited.
More information about the general