Decentralized vs. user-centric (was 'Re: 2nd Draft')

SitG Admin sysadmin at shadowsinthegarden.com
Tue Apr 27 03:37:05 UTC 2010


>Another solution that may present itself in the future (as 
>technology allows it) is the notion of a user becoming his/her own 
>OP.

And the geeks shall lead the way . . . seriously, it would help for 
the specs to actively support this.

>For example, I would love to run my OP on my smart-phone.

The problem with smart-phones is their routing: try to get a steady 
IP address with them. XRI fails as a solution here, because it's like 
tor2web; by proxying the key-based address, it replaces the 
verification Tor applies when generating a .onion hash. Recognition 
of key-based locations should be anticipatory, not reactive; users 
already have a sense of security when they see a padlock icon (SSL!), 
but the most they should assume from it is that they have a secure 
connection to the MITM.

>It's only on when I turn it on, and it tells me if somebody is 
>trying to login as me.

Assuming it's on and an attacker isn't spoofing the RP ;)

Also, see:
http://lists.openid.net/pipermail/openid-general/2009-May/018294.html
Apparently(?), the checkid_immediate spec calls for your OP/URI 
maintaining impeccable uptime *and* responding to discovery at all 
times.

-Shade


More information about the specs mailing list