[OpenID] OAuth SPs don't have to be your OpenID OP
andrewarnott at gmail.com
Sat Apr 4 04:47:07 UTC 2009
> The problem is that we are not considering one aspect of the internet we
> seen over the years. The internet has an uncanny ability to sort out trust
> issues on it own. Users learn which RP's to trust. Rp's learn which OP's to
> trust. Maybe we should factor this into the thinking and move on instead of
> getting bogged down by trust issues.
Wow. Coming from someone who's been complaining that OpenID doesn't provide
a way for RP's to skip email verification because they can't trust OPs, I'm
amazed to hear you suggest we skip over worrying about solving the trust
problem. How do you think the Internet "sort out trust issues on its own?"
SSL cert verification didn't just happen. Trust layers have to be
conceived, standardized, and implemented to be very useful. Yes, an RP
today can decide to trust an OP "on its own", but there are many other
scenarios we haven't discussed recently that can only be enabled if
infrastructure-assisted trust relationships is created.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the general