[OpenID] checking of openid provider web sites

Steven Livingstone-Perez weblivz at hotmail.com
Tue Dec 16 13:01:59 UTC 2008 

At the moment, yes it would (unless the delegated domains were added).
Wonder what % use these as opposed to going via the main OP's.

-----Original Message-----
From: chris.messina at gmail.com [mailto:chris.messina at gmail.com] 
Sent: 16 December 2008 12:32
To: Steven Livingstone-Perez
Cc: Peter Williams; general at openid.net
Subject: Re: [OpenID] checking of openid provider web sites

Wouldn't this imply that self-hosted or delegated OpenIDs (say,
Factoryjoe.com) would also fail?

On 12/16/08, Steven Livingstone-Perez <weblivz at hotmail.com> wrote:
> Hi Peter - yes, it's pretty simple. It compares the domain that has asked
> the user to enter details to a static  domain part on the server.
>
>
>
> So for myopenid.com I assume all domains are in the format
> http://username.myopenid.com (or http://myopenid.com/username).
>
>
>
> On the server is I store the parts of the domain that must be identified
to
> make this a valid domain. So I store ".myopenid.com" - the domain
authority
> for all requests must end with this part to make it a valid domain. So
> "http://weblivz.myopenid.com.cn" would fail and so on.
>
>
>
> Right now it's really not intended to be anything other than a discussion
-
> I am adding sites through the week. No external management is needed - I
may
> confirm the possible formats of OpenID requests at an OP though.
>
>
>
> There is no real trust - all of these things could be added but it's not a
> simple thing to say you "trust" someone and not someone else, so I simply
> wanted to provide a way of saying that this is not the domain you expect
it
> to be.
>
>
>
> I put it together in a few hours so I could use it myself an figured some
> others may find it useful. Things could be added of course if it proves
> useful.
>
>
>
> Is there anything out these that does this already - additionally are
there
> are sites that do work in verifying OP's ?
>
>
>
> If some "central" authority could provide a "register your OP" function
and
> allowed services such as this WebCheck service to download this signed Xml
> document to allow anyone to check details then that could be useful too.
>
>
>
> steven
>
> http://livz.org
>
>
>
> From: Peter Williams [mailto:pwilliams at rapattoni.com]
> Sent: 16 December 2008 02:31
> To: Steven Livingstone-Perez; general at openid.net
> Subject: RE: [OpenID] checking of openid provider web sites
>
>
>
> Is there a description of the method it uses to determine correctness of
the
> OP?
>
>
>
> Is it intended to be foolproof, advisory, or a hint?
>
>
>
> Is its accuracy a function of any user management activities, per OP?
>
>
>
> Are there any trust assumptions?
>
>
>
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Steven Livingstone-Perez
> Sent: Monday, December 15, 2008 4:21 PM
> To: general at openid.net
> Subject: [OpenID] checking of openid provider web sites
>
>
>
> Based on some of the rather more detailed solutions I've read about today,
I
> have hacked a rather simple idea for something I thought may be useful.
>
>
>
> It is basically a plug-in to the browsers (Bookmarklet just now for all
and
> a toolbar for FF and IE in the works) and it allows you to check whether
the
> OpenID provider you have been asked to enter your details into is indeed
the
> correct provider. It tells you if there is an issue with the provider.
>
>
>
> Currently I have added a check for OpenID.org, myOpenID.com and
claimID.com
> (for no reason other than it's getting late here). So just add the
> bookmarklet (toolbars are in the works) and when you are asked to log into
> one of these sites click the "WebCheck" button to perform a quick check.
>
>
>
> Details at:
>
> http://www.openid.org/apps/webcheck/default.aspx
>
>
>
> I have no idea whether this will be useful or a ton of issues will spring
to
> mind but figured if I throw it out I'll soon find out (and save energy if
of
> no use!).
>
>
>
> steven
>
> http://livz.org
>
>


-- 
Chris Messina
Citizen-Participant &
  Open Technology Advocate-at-Large
factoryjoe.com # diso-project.org
citizenagency.com # vidoop.com
This email is:   [ ] bloggable    [X] ask first   [ ] private

More information about the general mailing list