[OpenID] Rule of thumb
Evan Prodromou
evan at prodromou.name
Wed Jul 11 22:47:41 UTC 2007
So, the list seems to be generally cogitating about the issue of which
OpenIDs to allow access to a system. I'd like to suggest the following
rule of thumb for people considering OpenID:
If your current registration validation system consists of email
address verification or less, then OpenID is probably fine for
you.
I think this rule of thumb covers well north of 95% of
publicly-accessible Web sites. You can block individual bad behavers on
a case-by-case basis, and you can block bad-boy servers that give out
IDs to bad behavers (or that try to exploit weaknesses in OpenID
implementations) in whole.
I think the remaining public Web sites are mostly banks and credit card
companies, and they're probably not going to implement any
authentication system, anyways. They don't accept browser certs, and
they're not going to accept OpenID, until it's as ubiquitous as
username/password.
The question of private Web sites -- intranets, extranets -- seems
really easily handled with white/blacklists, but maybe that's just me.
I think that if there's anything else, it's dating sites, homestay
networks, and parenting sites that use in-person verification to make
sure that the person posting is real and non-creepy. I don't think that
OpenID has much to offer these communities, and twisting it from an
authentication protocol to a profile verification protocol is unhealthy.
I think there is a possibility for building up a web-of-trust system
based on OpenID, but I don't think it's in-scope for the specification
itself.
-Evan
--
Evan Prodromou <evan at prodromou.name>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2738 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070711/f6caf387/attachment-0002.bin>
More information about the general
mailing list