[OpenID] Trust + Security @ OpenID
Stephen Paul Weber
singpolyma at gmail.com
Fri Jul 20 19:20:45 UTC 2007
I have to agree here. There are decentralized technologies that work : SMTP
and XMPP being the most popular. An RP needs to be able to trust users, not
OPs. The protocol proves that user X has chosen OP X and controls URI X. A
bad OP can only do nasty things if user X chooses to use them. USERs can be
nasty, but OPs serve a pretty basic function.
On 7/8/07, Brendan Taylor <whateley at gmail.com> wrote:
>
> On Sun, Jul 08, 2007 at 01:59:02AM +0300, Eddy Nigg (StartCom Ltd.) wrote:
> > like self-signed certificates. A relying party can choose to trust them
> > but nothing has been verified or guarantied in any form (not even the
> > integrity of the authentication process). For me as relying party
> > running a forum or web log, this is not really assuring...not to speak
> > about other potential login facilities.
>
> This is something I've never understood - why does an RP need to trust an
> OP? If this is about spam, then surely it makes more sense to determine
> trust per-user (and possibly blacklist OPs).
>
> I especially don't understand why the RP cares about "integrity of the
> authentication process". Surely it should be the user's responsibility
> to select an OP with the security they require.
>
> I think this is going in the wrong direction; I would be very
> disappointed if OpenID lost its decentralization, and I'm not sure why
> people think it needs to.
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
>
--
- Stephen Paul Weber, Amateur Writer
<http://www.awriterz.org>
MSN/GTalk/Jabber: singpolyma at gmail.com
ICQ/AIM: 103332966
BLOG: http://singpolyma.net/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070720/521fcd02/attachment-0002.htm>
More information about the general
mailing list