[OpenID] Trust + Security @ OpenID

[Jason Salaz]

On 7/16/07, Eddy Nigg (StartCom Ltd.) <eddy_nigg at startcom.org> wrote:
>
>  First of all, I believe that a list of IDPs which conform to a certain
> standard and criteria is way more effective then a black list of rough IDPs
> for reasons we all know.

That's a great way to shut out everyone that isn't an enterprise.
It's a great theory, but it'll never work in practice.

I will never EVER submit my domain to be "approved" in order for RPs
to take my auth.

This is a very sticky subject, blocking illegitimate and legitimate,
but there is one thing I know for sure;
If you require people to have their IdP validated before the majority
RPs will allow them to auth, you will have single handedly KILLED
OpenID.

Centralizing any aspect of a decentralized system is a very very BAD
idea. Especially centralizing the part that OpenID decentralized in
the first place.