[OpenID] OpenID and trust

Johnny Bufu johnny at sxip.com
Sun Jan 14 01:12:46 UTC 2007

On 13-Jan-07, at 1:55 AM, Marcin Jagodziński wrote:
> I don't quite get it. How can RP get information about OP's? I can
> write an spam-OP which will always return information, that user was
> authenticated using eg. token (even if it's not true).
> There are some solutions, but each one has some shortcomings

The only trust relationship in OpenID is between the user and his/her  
OP. Being decentralized, anyone can be an OP.

A verified OpenID assertion guarantees to the RP that the user owns  
the identifier, but nothing more. If the RP needs extra "proofs"  
about the user, one way to obtain them could be accomplished with  
attribute exchange [1] and signed assertions [2] :

a) With the OpenID authentication request, the RP also requests an  
attribute of type "signed assertion from a party trusted by the RP"
b) If the user already has such an attribute at his OP he can provide  
it to the RP, satisfying its request
c) If the user doesn't have the requested attribute, the meta-data  
associated with the specified attribute type could contain a pointer  
to a means of obtaining it, so that the user / OP know how to get  
one, if they want to.

By standardizing the acquisition mechanism and description in c) this  
part could also be automated, so that the effort for the user is  

[1] http://openid.net/specs/openid-attribute-exchange-1_0-04.html
[2] http://www.mail-archive.com/specs@openid.net/msg00907.html


More information about the general mailing list