[PROPOSAL] Handle "http://user at example.com" Style Identifiers
Josh Hoyt
josh at janrain.com
Mon Oct 23 18:53:05 UTC 2006
(moved to general list, since it's not about specifications)
On 10/22/06, George Fletcher <gffletch at aol.com> wrote:
> So why can't idp.spammers.com allow anyone to enter a URI
[...]
> So of course, the RP just needs to "blacklist" idp.spammers.com. But
> now we are back in the same situation we have today where its a race
> between spammers setting up "IdPs" and RPs "black-listing" them.
>
> Fundamentally, "trust worthiness" is paramount to making the system
> work. For now, this means RPs will likely have some sort of ACL (black
> or white) for the IdPs that they deal with.
OpenID authentication makes users identifiable. It does not handle
trust or authorization. In my opinion, this tight focus is a strength
of OpenID. The problem of cross-site identification and authentication
has a workable solution that has been reproduced with slight
variations as LID, SXIP, OpenID, and many others. My goal is to get
the solution to this problem out there, and start working on solutions
for the other problems, building on the authentication layer instead
of duplicating that work.
I think that would be a mistake to try to make OpenID handle trust or
authorization, since those problems are independent. The
authentication protocol can then be used with any authorization or
trust scheme.
Josh
More information about the general
mailing list