[OpenID] OpenID and trust
Johnny Bufu
johnny at sxip.com
Sun Jan 14 01:12:46 UTC 2007
On 13-Jan-07, at 1:55 AM, Marcin Jagodziński wrote:
> I don't quite get it. How can RP get information about OP's? I can
> write an spam-OP which will always return information, that user was
> authenticated using eg. token (even if it's not true).
>
> There are some solutions, but each one has some shortcomings
The only trust relationship in OpenID is between the user and his/her
OP. Being decentralized, anyone can be an OP.
A verified OpenID assertion guarantees to the RP that the user owns
the identifier, but nothing more. If the RP needs extra "proofs"
about the user, one way to obtain them could be accomplished with
attribute exchange [1] and signed assertions [2] :
a) With the OpenID authentication request, the RP also requests an
attribute of type "signed assertion from a party trusted by the RP"
b) If the user already has such an attribute at his OP he can provide
it to the RP, satisfying its request
c) If the user doesn't have the requested attribute, the meta-data
associated with the specified attribute type could contain a pointer
to a means of obtaining it, so that the user / OP know how to get
one, if they want to.
By standardizing the acquisition mechanism and description in c) this
part could also be automated, so that the effort for the user is
minimized.
[1] http://openid.net/specs/openid-attribute-exchange-1_0-04.html
[2] http://www.mail-archive.com/specs@openid.net/msg00907.html
Johnny
More information about the general
mailing list