[OpenID] OpenID and trust

Marcin Jagodziński marcin.jagodzinski at gmail.com
Mon Jan 15 18:53:30 UTC 2007

Well, the "usual measures" are not very efficient in my opinion when
dealing with email spam, so I don't think it will be efficient when
dealing with "OpenID spam".

There's another question: Assertion Quality Extension can be used to
check if user authenticated itself using some particular method. Don't
you think there is another scenario, in which RP can ask OP to use
some method?

Example: RP is some e-commerce system. When value of transaction is
less than 10$ OP can use password, when it's more than 10$, token is
required. User should always use one and the same identifier, but
depending on transaction, different authentication will be used.

I don't know whether it's possible using existing specs?



2007/1/15, James A. Donald <jamesd at echeque.com>:
> On 13-Jan-07, at 1:55 AM, Marcin Jagodzin'ski wrote:
> > I don't quite get it. How can RP get information about
> > OP's? I can write an spam-OP which will always return
> > information, that user was authenticated using eg.
> > token (even if it's not true).
> Spammers can create any number of spam-OPs
> If they do, then relying parties can use the usual
> measures - for example a blog can auto whitelist any
> commentor who has had a comment approved, and also auto
> whitelist his OP, blacklist known spammer OPs, and
> graylist all unknown OPs.
> People with a whitelisted OP get their comment displayed immediately,
> but flagged to be examined by moderator, people with a graylisted OP get
> their comment held for moderation, people with a blacklisted OP get 404ed
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list