[OpenID] An alternative OpenID UX

Rabbit rabbit at cyberpunkrock.com
Tue Apr 14 20:20:34 UTC 2009


I feel there is a huge difference. The RP is not enforcing a policy  
constraint. The policy compliance is purely circumstantial due to the  
fact the RP has required only specific OPs can be used.

This is what I meant when I said "OpenID is not about the RP. It's  
about the User". The User should be able to say "Unknown OP is able to  
comply with your policy constraints." and the RP can respond "I see  
that it does! ok, you may use that OP which I had previously never  
heard of." without having that be an actual e-mail correspondence  
(because obviously humans are already user-centric).

I'm very weary of whitelists. They're pessimistic and authoritarian.  
If an RP wishes to enforce a policy constraint such as "requires  
verified e-mail" they should not simply cherry pick providers they  
know that are able to conform to that constraint.

=Rabbit



On Apr 14, 2009, at 10:06 AM, Peter Williams wrote:

> Think about the model tho: is this any different to an OP that  
> refuses to deal with RP realms that don't fit its policy, or  
> requires RP's to "pre--register", or requires an RP to bind to  
> particular legal copyright terms (that are offensive to many), or  
> "give notice" by binding the assertion to an https cert (bearing  
> copyright notice, and binding to an relying party agreement or other  
> governance regime)? I cannot imagine in the Japan market anyone even  
> blinking twice at such a constraint - limiting assertion requesting/ 
> making to particular trading groups. If that's all fine in Japan,  
> its fine in Santosh-land.
>
> The best technical way for Santosh to assert his policy would be to  
> declare a vendor-specific PAPE URL, publish its policy (email  
> identity verification required) on the URL (making it thus  
> resolvable), always include the policy requirement in assertion  
> requests, and always enforce the PAPE assertion policy requirement  
> on handling the assertion. If he does this, the system is 100%  
> openid - as between trust impositions and PAPE requirements, the  
> system is exploiting the very mechanism the standard provides for  
> such controls.
>
>> -----Original Message-----
>> From: general-bounces at openid.net [mailto:general- 
>> bounces at openid.net] On
>> Behalf Of Santosh Rajan
>> Sent: Monday, April 13, 2009 10:26 PM
>> To: general at openid.net
>> Subject: Re: [OpenID] An alternative OpenID UX
>>
>>
>> You Cant
>>
>>
>> Chris Messina wrote:
>>>
>>> I'm a little confused by the UI.
>>> What if I want to use my own self-provided OpenID?
>>>
>>> Chris
>>>
>>> On Mon, Apr 13, 2009 at 8:44 PM, Santosh Rajan <santrajan at gmail.com>
>>> wrote:
>>>
>>>>
>>>> PS:
>>>> It also sets a cookie so that the next time on it will show you  
>>>> your
>>>> selected Account in the button.
>>>>
>>>>
>>>> Santosh Rajan wrote:
>>>>>
>>>>> I am working on an OpenID UX with the following objectives.
>>>>> 1) Make it as simple as possible for the user under the
>> circumstances.
>>>>> 2) RP's don't have to bother about authentication and
>> verification.
>>>> They
>>>>> get an authenticated user with a verified email address.
>>>>>
>>>>> You can see it here
>>>>> http://myfeeds.myofiz.com http://myfeeds.myofiz.com
>>>>>
>>>>> I would like to add more OP's to this. But I am not sure if they
>>>> provide
>>>> a
>>>>> verified email address.
>>>>>
>>>>> Your comments and feedback will be usefull.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>> --
>>>> View this message in context:
>>>> http://www.nabble.com/An-alternative-OpenID-UX-
>> tp23032699p23032765.html
>>>> Sent from the OpenID - General mailing list archive at Nabble.com.
>>>>
>>>> _______________________________________________
>>>> general mailing list
>>>> general at openid.net
>>>> http://openid.net/mailman/listinfo/general
>>>>
>>>
>>>
>>>
>>> --
>>> Chris Messina
>>> Citizen-Participant &
>>> Open Web Advocate
>>>
>>> factoryjoe.com // diso-project.org // vidoop.com
>>> This email is:   [ ] bloggable    [X] ask first   [ ] private
>>>
>>> _______________________________________________
>>> general mailing list
>>> general at openid.net
>>> http://openid.net/mailman/listinfo/general
>>>
>>>
>>
>> --
>> View this message in context: http://www.nabble.com/An-alternative-
>> OpenID-UX-tp23032699p23033453.html
>> Sent from the OpenID - General mailing list archive at Nabble.com.
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general




More information about the general mailing list