[PROPOSAL] Handle "http://user at example.com" Style Identifiers

Dick Hardt dick at sxip.com
Mon Oct 23 01:32:07 UTC 2006


On 22-Oct-06, at 5:05 PM, George Fletcher wrote:

>
> Dick Hardt wrote:
>> What is different with OpenID vs email is that there is certainty   
>> that the user actually is the user.
> I'm a little confused.  How is there certainty that "the user  
> actually is the user"?  The viability of the identifier  
> representing the same user is dependent on the OpenID provider not  
> recycling identifiers. Or did you just mean that in email,  
> authentication is not always required for someone to use an email  
> identifier?

With SMTP,  a bad guy can forge the headers.

With OpenID, there is a presumption the user has selected a trust  
worthy IdP that  will only present the user's identifiers when it  
really is the user.


>
> Note that the OpenID protocol does not prevent idp.spammers.com  
> from allowing any identifier to be used and "authenticated"  
> regardless of whether it's the same user or not.  It is incumbent  
> on the relying parties to determine if they will allow identifiers  
> authenticated by a particular idp.

Actually, idp.spammers.com cannot do that. The URL has metadata that  
states which IdP(s) are authoritative. What idp.spammers.com can do  
is flood an RP with a bunch of identifiers. But this is no different  
then a script creating new accounts on a system and is defended using  
the same mechanisms such as throttling and captchas.

-- Dick



More information about the specs mailing list