[PROPOSAL] Handle "http://user at example.com" Style Identifiers
Dick Hardt
dick at sxip.com
Mon Oct 23 01:32:07 UTC 2006
On 22-Oct-06, at 5:05 PM, George Fletcher wrote:
>
> Dick Hardt wrote:
>> What is different with OpenID vs email is that there is certainty
>> that the user actually is the user.
> I'm a little confused. How is there certainty that "the user
> actually is the user"? The viability of the identifier
> representing the same user is dependent on the OpenID provider not
> recycling identifiers. Or did you just mean that in email,
> authentication is not always required for someone to use an email
> identifier?
With SMTP, a bad guy can forge the headers.
With OpenID, there is a presumption the user has selected a trust
worthy IdP that will only present the user's identifiers when it
really is the user.
>
> Note that the OpenID protocol does not prevent idp.spammers.com
> from allowing any identifier to be used and "authenticated"
> regardless of whether it's the same user or not. It is incumbent
> on the relying parties to determine if they will allow identifiers
> authenticated by a particular idp.
Actually, idp.spammers.com cannot do that. The URL has metadata that
states which IdP(s) are authoritative. What idp.spammers.com can do
is flood an RP with a bunch of identifiers. But this is no different
then a script creating new accounts on a system and is defended using
the same mechanisms such as throttling and captchas.
-- Dick
More information about the specs
mailing list