[OpenID] OpenID and trust

Marcin Jagodziński marcin.jagodzinski at gmail.com
Sat Jan 13 09:55:20 UTC 2007


Hi all,

while I do understand that OpenID authentication is about
authentication, not trust, the "higher" level specifiaction are about
trust. Assertion Quality Extension is one of examples.

"We acknowledge that, while none of the information expressed via this
extension can be verified by the Relying Party in a technological
fashion, this need not be viewed as an issue. The lack of an inherent
trust model within OpenID allows for Relying Parties to decide which
OPs they trust using whatever criteria they choose - likewise RPs will
decide whether or not to trust claims as to authentication quality
from such OPs as well."

I don't quite get it. How can RP get information about OP's? I can
write an spam-OP which will always return information, that user was
authenticated using eg. token (even if it's not true).

There are some solutions, but each one has some shortcomings:

* "white lists/black list" -- but who will maintain them?
* some "authority" -- possibly a non-profit organization of OP's,
which checks if members are in fact enforcing policies of
enrollment/authentication
* "web of trust" -- if RP "A" trusts that OP "X" really uses token, OP
"B" trusts OP "X" as well

Any ideas?

Best regards,
Marcin Jagodziński
http://identity20.pl/


More information about the general mailing list