Yahoo available AX attrs - why not to trust the OP

Peter Watkins peterw at tux.org
Tue Dec 8 18:45:41 UTC 2009 

On Tue, Dec 08, 2009 at 12:18:34PM -0600, Joseph A Holsten wrote:
> I don't mean to troll. I just don't understand why RPs don't just  
> trust the OP's word.

> Am I nuts? Are RPs really saying they don't trust an email assertion  
> from a whitelisted OP without a verified flag? Or that they aren't  
> going to whitelist at all?

We accept any https-based OP for our users -- no whitelist, no blacklist.
If any individual trusts a particular OP to authenticate his account, that's
fine with us. You can pick an OP that uses 2-factor auth, you can roll
your own, or you can roll the dice with some random provider. Your call,
as it's protecting your information. 

My business users like having trustworthy email addresses, and we do
intend to add email verification on our RP side if we get an assertion
from an OP not on our "email verification" whitelist. No, I'm not simply
going to trust that any random OP is telling the truth when it says your
email is president at whitehouse.gov. RP validation of email means you can
trick us into sending a few validation emails to any address you choose,
but we're not going to let you subscribe any old email address to our
dozens of mailing lists without trustworthy validation that you control
that email address.

The validation flag is a nice addition when interacting with trusted OPs. 
Let's say you set up a gmail account but Yahoo is your preferred OP 
You update your Yahoo profile to say gmail is your preferred address. 
If you log in to my RP site before Yahoo verifies your gmail address, 
I'll know that I should validate that address before using it -- I've 
whitelisted Yahoo, but Yahoo tells me your gmail address is not (yet) 
trustworthy.

Validation level info means nothing to me if provided by an unknown OP.
Without, as Santosh writes, some legal framework that could give me 
assurance that the unknown OP is telling the truth, I have no reason 
to trust the OP-reported validation level. (I don't expect we'll
ever see a strong enough legal framework to trust unknown OPs.)

-Peter

More information about the specs mailing list