[OpenID] openid query
Martin Atkins
mart at degeneration.co.uk
Wed Feb 27 19:00:56 UTC 2008
Vipin Rathor wrote:
> Hi all,
> I'm a newbie bitten by openid bug. I was just wondering that how a
> website using openid service (let's say magnolia) trust a openid
> service provider (say verisign)?
> Is there any trust relationship that both need to have beforehand? If
> not, then why not?
>
> Thanks in advance.
>
In most cases today no explicit, pre-existing trust relationship exists
between relying party and OpenID provider. The RP simply verifies that
the OP is authorized to make assertions about the given URL by
performing OpenID Discovery on that URL. An shared session key is
automatically created when necessary between OP and RP so that they can
communicate securely.
An untrustworthy OP can, assuming that the RP is implemented correctly,
only make false assertions about URLs that declare it as their OP.
More information about the general
mailing list