[OpenID] openid query

[Martin Paljak]

On Feb 29, 2008, at 3:29 PM, George Fletcher wrote:
> As Nat says, reputation can help significantly (provided you "trust"  
> the
> reputation service ;) ). Or as others have mentioned, white lists. Of
> course, you could also design the RP with increasing levels of service
> based on the RP's "trust" of the customer. So the customer has to  
> "earn
> some level of trust" in order to get access to increasingly valuable
> services. Whether customers want to wait through that process is  
> another
> matter.

There are two types of websites roughly:
public ones (yourcoolweb2app.com)
closed ones (yourintranet.com)

To make use of OpenID, both organizations first have to learn to trust  
their clients.
This of course assumes that users make smart decisions.

Public websites should be happy with whatever credentials the user  
wishes to present and just be thankful that the user visits them. You  
should make blacklists only to protect users from Really Bad Providers.

Private websites, if they go for OpenID, need to trust their clients  
as well. If I say that I want to get access to my stuff with OpenID  
example.com, I probably am very sure about it. Why should somebody  
doubt my choise? Most probably this type of websites use whitelists to  
use providers that are known to be Good Enough.


OpenID is great for trust actually. If we take the amount of 'trust'  
one person can normally handle and assume it is finite (like Dunbar's  
number), it is much-much easier to trust a handful of OpenID providers  
you use to behave correctly than it is to trust all those hundreds of  
sites you use to handle your password and private information in the  
right way. The same goes for reputation services.

Do I trust the 50+ 'authorities' pre-selected by somebody else for me  
in Firefox? I doubt it. Do I trust the OpenID providers I've chosen to  
use? More likely.


m.
-- 
Martin Paljak
http://martin.paljak.pri.ee
+3725156495