[OpenID] Rule of thumb

Recordon, David drecordon at verisign.com
Sat Jul 21 23:25:19 UTC 2007 

Eddy,

Don't get me wrong, I'm not trying to say that a RP will be forced to use one of these services.  Let alone that VeriSign will run one.  What I'm merely saying is that I think these sorts of services will come into existence where a RP can query for information about a Provider or particular user.  The RP will be able to choose which service they wish to query, assuming multiple exist.  I would not think that openid.net is the appropriate place to run one, but there is nothing stopping *anyone* in the OpenID community from creating one or working together to do so.

 

Does that make sense?

 

--David

 

From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Eddy Nigg (StartCom Ltd.)
Sent: Friday, July 13, 2007 12:54 PM
To: Eric Norman; general at openid.net
Subject: Re: [OpenID] Rule of thumb

 

Hi Eric,

Eric Norman wrote: 

 
Methinks there's an awful lot of RPs that would certainly
prefer not.  

I don't suppose this to be forced on anybody! But as anybody can chose to add CAs to the browser or one add various white and black lists to the mail server, one could opt to make it a requirement or not. I'd view it as a service, confirming the adherence of an IDP to certain standards and rules (See the various extensions in draft right now).



They would view this as the fox guarding the
henhouse, to use an old adage.
  

It depends who is going to be the fox....;-)
Except what's wrong with the community taking care of this?



 
After all, they are the ones with something at risk.  So
they're not going to listen much if the OpenID community
starts telling them how to do their risk management.  And
rightly so.

I for one can't make use of OpenID in it's current form, except if strictly trusting only our own IDP. I'm sure there are many more out there hesitating to adopt OpenID for this very reason. An RP in the OpenID world is usually a web site, not a person! Which makes accepting an IDP not a case-to-case based decision, but rather accept all or nothing. Nor do I have the intention to screen every new incoming IDP upon each request.

Perhaps you have a better suggestion to me...?

-- 

Regards

 

Signer:      Eddy Nigg, StartCom Ltd.

Jabber:      startcom at startcom.org

Phone:       +1.213.341.0390

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070721/dd79fa97/attachment-0002.htm>

More information about the general mailing list