[OpenID] [oauth] Re: Replacing email verification with RSS 'push' feeds and OAuth
pwilliams at rapattoni.com
Wed Apr 8 02:23:28 UTC 2009
> -----Original Message-----
> It may not be "any OP can play the game" but is still open in the
> sense that reputation-based communities are. Clearly this game cannot
> be played without reputation metrics, this is a trust issue, not a
> protocol issue.
[Peter Williams] Certainly a fallen ideal. In my own personal schema, the web benefits from in this preferred order
1 User-centric federations (original openid ideal, dying rapidly)
2 RP-centric federations (folks with an security itch that a well chosen OP may scratch)
3 OP-centric federations (the actual privacy-enforcing Shib/Liberty model attempting to address the abuses of Microsoft Passport)
As any desiring RP can turn around at any moment and become an OP for those on whom it has just relied (much like folks like paypal run hosted credit-card web portals for users, in the original VeriSign model), we have a good hybrid model. The emergence of RPs become OPs will be similar to the emergence of the self signed CAs, in the SSO world.
More information about the general