[OpenID] OpenID and trust

James A. Donald jamesd at echeque.com
Mon Jan 15 03:31:59 UTC 2007

On 13-Jan-07, at 1:55 AM, Marcin Jagodzin'ski wrote:
> I don't quite get it. How can RP get information about
> OP's? I can write an spam-OP which will always return
> information, that user was authenticated using eg.
> token (even if it's not true).

Spammers can create any number of spam-OPs

If they do, then relying parties can use the usual
measures - for example a blog can auto whitelist any
commentor who has had a comment approved, and also auto
whitelist his OP, blacklist known spammer OPs, and
graylist all unknown OPs.

People with a whitelisted OP get their comment displayed immediately,
but flagged to be examined by moderator, people with a graylisted OP get
their comment held for moderation, people with a blacklisted OP get 404ed

More information about the general mailing list