[OpenID] Trust + Security @ OpenID
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Thu Jul 19 00:45:23 UTC 2007
Hi Greg,
First of all this is an interesting question. Please allow me to provide
my opinion, which is obviously mine and not that of Meng Weng Wong.
Greg Hewgill wrote:
> How would a whitelist of providers work for people like myself who run
> their own OP?
The reputation service (of whitelists) I envision would allow you to
register your IDP server in a basic configuration. No strings attached.
> In my case, my OP is used only by me and the details of
> the authentication method are not public. Would there be any provision
> to get such an OP onto any kind of whitelist?
>
If you would like to have attributes added such as you mentioned:
authentication methods, SSL or other measures I guess you would have to
disclose them to the representative of the reputation service. Obviously
certain aspects such as SSL can be verified without having to disclose
anything except the URL (which is supposed to be know anyway).
> A whitelist that is based on the OpenID itself, rather than the
> associated OpenID Provider, wouldn't even raise this question.
How would you suggest to review/verify/control each and every OpenID
user? It might be possible in some sort of socialized recommendation
system, which could give some indication about the OpenID itself, but
OpenID providers could be measured according to the extensions
http://openid.net/specs/openid-assertion-quality-extension-1_0-03.html
http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-01.html
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: startcom at startcom.org
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070719/57b40337/attachment-0002.htm>
More information about the general
mailing list