[OpenID] Initial thoughts on OpenID
John Panzer
jpanzeracm at johnpanzer.com
Mon Jul 9 08:34:58 UTC 2007
John Wang wrote:
> Recently I started considering OpenID authentication for a project. I
> watched two screencasts and spoke to a few people to get a general feel
> for the project and then jotted down my thoughts here:
>
> http://www.dev411.com/blog/2007/07/07/initial-thoughts-on-openid
>
> Some of the thoughts are similar to some posts on this list. Please let
> me know where/if I'm wrong. I considered inlining the text but it's kind
> of long.
I saw your blog post earlier today and thought it was interesting. One
thing jumped out at me: There's a useful distinction between an OP
which connects an identity to a real world person (as banks do), and an
OP which does not but does provide reasonably strong authentication of
'online-only' identities. So I'd like to have a 'tier 1.5', where I
want e.g. SSL/TLS but I don't need a full 'tier 1' OP assurance. I think
this is common.
I'd also note that an RP may have different assurance needs depending on
what it's planning to do. So rather than categorizing RPs, I'd
categorize RP operations. An RP should accept the minimal assurance
necessary for its least secure operation (IMHO) and require upgrading as
necessary if a user attempts more secure operations.
-John
More information about the general
mailing list