[OpenID] An alternative OpenID UX

Andrew Arnott andrewarnott at gmail.com
Tue Apr 14 21:00:51 UTC 2009 

Without a trust framework though, an OP or user's claim to an RP that an OP
fits the RP's requirements is worthless.  Thus whitelisting is the only way
an RP can be sure, given the current infrastructure (none).
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire


On Tue, Apr 14, 2009 at 1:20 PM, Rabbit <rabbit at cyberpunkrock.com> wrote:

> I feel there is a huge difference. The RP is not enforcing a policy
> constraint. The policy compliance is purely circumstantial due to the fact
> the RP has required only specific OPs can be used.
>
> This is what I meant when I said "OpenID is not about the RP. It's about
> the User". The User should be able to say "Unknown OP is able to comply with
> your policy constraints." and the RP can respond "I see that it does! ok,
> you may use that OP which I had previously never heard of." without having
> that be an actual e-mail correspondence (because obviously humans are
> already user-centric).
>
> I'm very weary of whitelists. They're pessimistic and authoritarian. If an
> RP wishes to enforce a policy constraint such as "requires verified e-mail"
> they should not simply cherry pick providers they know that are able to
> conform to that constraint.
>
> =Rabbit
>
>
>
>
> On Apr 14, 2009, at 10:06 AM, Peter Williams wrote:
>
>  Think about the model tho: is this any different to an OP that refuses to
>> deal with RP realms that don't fit its policy, or requires RP's to
>> "pre--register", or requires an RP to bind to particular legal copyright
>> terms (that are offensive to many), or "give notice" by binding the
>> assertion to an https cert (bearing copyright notice, and binding to an
>> relying party agreement or other governance regime)? I cannot imagine in the
>> Japan market anyone even blinking twice at such a constraint - limiting
>> assertion requesting/making to particular trading groups. If that's all fine
>> in Japan, its fine in Santosh-land.
>>
>> The best technical way for Santosh to assert his policy would be to
>> declare a vendor-specific PAPE URL, publish its policy (email identity
>> verification required) on the URL (making it thus resolvable), always
>> include the policy requirement in assertion requests, and always enforce the
>> PAPE assertion policy requirement on handling the assertion. If he does
>> this, the system is 100% openid - as between trust impositions and PAPE
>> requirements, the system is exploiting the very mechanism the standard
>> provides for such controls.
>>
>>  -----Original Message-----
>>> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
>>> Behalf Of Santosh Rajan
>>> Sent: Monday, April 13, 2009 10:26 PM
>>> To: general at openid.net
>>> Subject: Re: [OpenID] An alternative OpenID UX
>>>
>>>
>>> You Cant
>>>
>>>
>>> Chris Messina wrote:
>>>
>>>>
>>>> I'm a little confused by the UI.
>>>> What if I want to use my own self-provided OpenID?
>>>>
>>>> Chris
>>>>
>>>> On Mon, Apr 13, 2009 at 8:44 PM, Santosh Rajan <santrajan at gmail.com>
>>>> wrote:
>>>>
>>>>
>>>>> PS:
>>>>> It also sets a cookie so that the next time on it will show you your
>>>>> selected Account in the button.
>>>>>
>>>>>
>>>>> Santosh Rajan wrote:
>>>>>
>>>>>>
>>>>>> I am working on an OpenID UX with the following objectives.
>>>>>> 1) Make it as simple as possible for the user under the
>>>>>>
>>>>> circumstances.
>>>
>>>> 2) RP's don't have to bother about authentication and
>>>>>>
>>>>> verification.
>>>
>>>> They
>>>>>
>>>>>> get an authenticated user with a verified email address.
>>>>>>
>>>>>> You can see it here
>>>>>> http://myfeeds.myofiz.com http://myfeeds.myofiz.com
>>>>>>
>>>>>> I would like to add more OP's to this. But I am not sure if they
>>>>>>
>>>>> provide
>>>>> a
>>>>>
>>>>>> verified email address.
>>>>>>
>>>>>> Your comments and feedback will be usefull.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> --
>>>>> View this message in context:
>>>>> http://www.nabble.com/An-alternative-OpenID-UX-
>>>>>
>>>> tp23032699p23032765.html
>>>
>>>> Sent from the OpenID - General mailing list archive at Nabble.com.
>>>>>
>>>>> _______________________________________________
>>>>> general mailing list
>>>>> general at openid.net
>>>>> http://openid.net/mailman/listinfo/general
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Chris Messina
>>>> Citizen-Participant &
>>>> Open Web Advocate
>>>>
>>>> factoryjoe.com // diso-project.org // vidoop.com
>>>> This email is:   [ ] bloggable    [X] ask first   [ ] private
>>>>
>>>> _______________________________________________
>>>> general mailing list
>>>> general at openid.net
>>>> http://openid.net/mailman/listinfo/general
>>>>
>>>>
>>>>
>>> --
>>> View this message in context: http://www.nabble.com/An-alternative-
>>> OpenID-UX-tp23032699p23033453.html
>>> Sent from the OpenID - General mailing list archive at Nabble.com.
>>>
>>> _______________________________________________
>>> general mailing list
>>> general at openid.net
>>> http://openid.net/mailman/listinfo/general
>>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090414/268785d7/attachment.htm>

More information about the general mailing list