[OpenID] Trust + Security @ OpenID
Simon Willison
simon at simonwillison.net
Sun Jul 15 21:35:55 UTC 2007
On 7/15/07, Eddy Nigg (StartCom Ltd.) <eddy_nigg at startcom.org> wrote:
> So I believe in the concept of whitelists and have IDPs go through some
> verification process. The extend of this process and what it would include
> has to be discussed obviously, but I really would like to see to take this
> one step further and form such a body (starting with discussions about how
> this body should operate and function first, its (perhaps simple)
> constitution and mission, who staffs it etc. etc.).
I believe in the concept of whitelists, although at the level of
individual OpenIDs rather than providers:
http://simonwillison.net/2007/Jan/22/whitelisting/
One significant barrier to whitelisting at the provider level is
OpenID delegation. http://simonwillison.net/ currently delegates to
idproxy.net - if that provider is on the approvide list, but I then
change my mind and delegate to someone else who isn't, what happens?
More generally, any body that operates a whitelist should (and I
believe must) exist as a separate entity from the core OpenID effort.
OpenID supports this already - if someone wants to set up this effort
right now there's nothing to stop them from doing so, and they can
build it on the existing 1.1 specification. This also maintains
OpenID's decentralised nature - there can be one provider whitelist
effort or many, the spec has nothing to say on the matter.
Personally, I plan to have my applications accept any and all OpenIDs,
even ones from providers such as www.jkg.in/openid which I know to
allow any user to authenticate any OpenID. If my users wish to give
away their accounts then that's their business.
Cheers,
Simon
More information about the general
mailing list