[OpenID] [from Marketing] I object to OpenID whitelists

Meng Weng Wong mengwong at pobox.com
Tue Jul 3 21:38:16 UTC 2007 

Hi everyone, we're moving a thread about OpenID whitelists/blacklists/ 
reputation over from the Marketing list.

Mark Atwood has posted some excellent substance, below.

With luck, this discussion will uncover assumptions and scenarios  
that can inform our evolving paradigm.

On a less philosophical level, I will stay alert to use cases,  
requirements, and design principles that may inform new system  
architectures and software.

I have been involved in authentication and reputation since 2003.  I  
hope to eventually contribute white papers and diagrams to help  
advance this conversation.



On Jul 3, 2007, at 11:37 AM, Mark Atwood wrote:

> Meng Weng Wong <mengwong at pobox.com> writes:
>>>
>> Hey everyone, I just subscribed to all the mailing lists.  I have
>> some cycles free to contribute to the community now and I want to
>> start with whitelists.
>
> I dislike whitelists for OpenID.
>
> Because I run my own OpenID server just for myself, as I suspect many
> of the more sophisticated OpenID users will.  And the spread of
> whitelists will make doing that impossible.
>
> If someone is truely worried about their OpenID provider turning evil,
> running one's own is an option, and presently is an easy option.
>
> If I have to worry about me stealing my own online identity,
> and then me going around pretending to me,
> I have much bigger problems than just data security protocols...
>
>
> I can see a use for whitelists for a few cases, such as a whitelist
> of OpenID providers that can make legally valid statements about
> the legal name and age of the person, for sites that want age  
> verification.
>
> Or a whitelist of OpenID providers who provide true two-factor
> hardware auth, such that can be trusted by a bank.
>
> (Right now, the first whitelist has only one member, and the second  
> one
> is empty.)
>
> But a whitelist of "well known OpenID providers", brings nothing of
> value to OpenID, and in fact, *removes* value from the system.
>
> -- 
> Mark Atwood                 When you do things right, people won't  
> be sure
> me at mark.atwood.name         you've done anything at all.
> http://mark.atwood.name/   http://fallenpegasus.livejournal.com/

More information about the general mailing list