[OpenID] An alternative OpenID UX

SitG Admin sysadmin at shadowsinthegarden.com
Tue Apr 14 21:01:00 UTC 2009

>This is what I meant when I said "OpenID is not about the RP. It's 
>about the User". The User should be able to say "Unknown OP is able 
>to comply with your policy constraints." and the RP can respond "I 
>see that it does! ok, you may use that OP which I had previously 
>never heard of."

Agreed. To user X, what is the difference between "I have never heard 
of your OP, therefore we have not established a trust relationship." 
and "I have been contacted by your OP, but they refused to pay me our 
'corporate alliance fee' (bribe), so we cannot trust them to make 
assertions about your Identity, and we therefore must require that 
you sign up for an account with one of our corporate allies, which 
entails giving them all your personal information, agreeing to their 
draconian Terms of Use, and allowing all your E-mail to be shared 
among their bored tech-support staff."?

>I'm very weary of whitelists. They're pessimistic and authoritarian. 
>If an RP wishes to enforce a policy constraint such as "requires 
>verified e-mail" they should not simply cherry pick providers they 
>know that are able to conform to that constraint.

Whitelists also risk creating for users one of the very problems that 
OpenID was intended to solve: the requirement to have many different 
accounts across different providers. It doesn't matter whether these 
accounts provide access locally or remotely; if one RP accepts Google 
and another RP rejects Google, the user can't simply use one account 
(Google) for everything; they *must* begin creating accounts with 
multiple services all over again, taking their cue from the whitelist 
each RP publishes.


More information about the general mailing list