[OpenID] An alternative OpenID UX
sysadmin at shadowsinthegarden.com
Tue Apr 14 21:01:00 UTC 2009
>This is what I meant when I said "OpenID is not about the RP. It's
>about the User". The User should be able to say "Unknown OP is able
>to comply with your policy constraints." and the RP can respond "I
>see that it does! ok, you may use that OP which I had previously
>never heard of."
Agreed. To user X, what is the difference between "I have never heard
of your OP, therefore we have not established a trust relationship."
and "I have been contacted by your OP, but they refused to pay me our
'corporate alliance fee' (bribe), so we cannot trust them to make
assertions about your Identity, and we therefore must require that
you sign up for an account with one of our corporate allies, which
entails giving them all your personal information, agreeing to their
among their bored tech-support staff."?
>I'm very weary of whitelists. They're pessimistic and authoritarian.
>If an RP wishes to enforce a policy constraint such as "requires
>verified e-mail" they should not simply cherry pick providers they
>know that are able to conform to that constraint.
Whitelists also risk creating for users one of the very problems that
OpenID was intended to solve: the requirement to have many different
accounts across different providers. It doesn't matter whether these
accounts provide access locally or remotely; if one RP accepts Google
and another RP rejects Google, the user can't simply use one account
(Google) for everything; they *must* begin creating accounts with
multiple services all over again, taking their cue from the whitelist
each RP publishes.
More information about the general