"Editors" Conference Call

Dick Hardt dick at sxip.com
Wed Nov 1 22:20:27 UTC 2006 

On 1-Nov-06, at 12:28 PM, John Kemp wrote:
> OK. Just checking. So an IdP/OP can choose whether or not to trust a
> particular RP, based on some out-of-ban criteria. And an RP can choose
> whether or not to trust the assertions of a particular IdP/OP? OK  
> good.

Technically possible, yes for the RP to decide on an IdP/OP.
Currently, there is no verified RP identity, so the IdP/OP cannot  
make that decision.

>> I have not had a chance to wade into that discussion.
>
> I'd highly recommend it when you get the chance.

in my queue :)

>
>>
>>> I suspect the latter case will be unlikely, if OpenID
>>> is to be successful.
>>
>> And I do not. And that is the big driver why it should be OP  
>> instead of
>> IdP.
>
> I think what you're trying to say is that OpenID won't depend on  
> static
> trust relationships (like business contracts) between RPs and IdP/ 
> OPs -
> is that right? In which case, sure, I get that.
>
> But I do think OpenID will depend on there emerging a way of some RP
> trusting (or not) some IdP (and vice-versa). Whitelists and blacklists
> seem like a scalable and dynamic way of doing that, and would seem  
> to be
> a reasonable way of minimizing the presence of rogue IdPs. Don't  
> take my
> word for it though - look at the discussion on security at .

I don't think there should be an OP reputation. I will wade into the  
security@ list to discuss.


>> asserted data.
>> The OP is not verifying the accuracy of any of the attributes in
>> attribute exchange.
>
> A claim by my IdP/OP /might/ be a claim by a third-party, no? And  
> if the
> IdP/OP makes such a claim on my behalf (and is not under my direct
> control), won't it at least want to verify that the subject of the  
> claim
> is also the user whose identifier it asserted in OpenID  
> Authentication?

If the OP is making a separate claim about you, then it is not being  
an OP at that time.
Perhaps I am missing your point here though.

>
>>
>>>
>>>>
>>>> In OpenID Authentication, there is no trust relationship  
>>>> requirement
>>>> between the IdP and RP., and the only thing the IdP asserts is a
>>>> binding between the user and an identifier (OpenID URL or i-name).
>>>
>>> And on what basis does the OP "assert" this binding to an RP?  
>>> Doesn't
>>> the OP typically "authenticate" that binding, or does it simply  
>>> take the
>>> users identifier on blind faith, and assert away?
>>
>> The OP authenticates the user (how the OP authenticates the user  
>> is out
>> of scope of the spec).
>
> OK - so the user probably maintains an "account" with the OP, very  
> much
> like a user would with an IdP? Unless the user runs her own OP.

The OP has a mechanism to determine which user it is interacting with.
If the user is running her own OP, then there is still an  
authentication process of some kind such as access to the machine.

-- Dick

More information about the specs mailing list