[OpenID] Relying Party Best Practices
David Corbin
dcorbin at machturtle.com
Fri Mar 9 22:33:57 UTC 2007
On Friday 09 March 2007 14:02, Karl Anderson wrote:
> David Corbin <dcorbin at machturtle.com> writes:
> > On Friday 09 March 2007 05:07, Mark Fowler wrote:
> >> On 9 Mar 2007, at 00:55, Karl Anderson wrote:
> >> > Consider the perverse case where example.org gets sold a few times to
> >> > people who use it to log into Jyte,
> >>
> >> Er, if you sell your OpenID then you're selling your identity. Don't
> >> do that unless you really want someone else to be able to claim
> >> they're you.
> >
> > This places on an obligation on IPs to NEVER re-use userIds then, doesn't
> > it?
>
> I don't think an Identity Provider is responsible for anything other
> than authentication
I meant a moral obligation.
> (but I haven't absorbed yadis or other discovery
> extensions, so I could be wrong). If you've lost the control over who
> authenticates with an identity URL, and you haven't told a Relying
> Party that that URL shouldn't be used to authenticate you anymore,
> you've lost control of your identity with that Relying Party.
It's not just about authentication, it's about Identity, isn't it?
--
David Corbin
Games, Gamers, Gaming - a blog - http://g3.machturtle.com
More information about the general
mailing list