[OpenID] Community Reputation Services

Dick Hardt dick at sxip.com
Thu May 22 22:11:22 UTC 2008 

On 22-May-08, at 1:09 PM, Nate Klingenstein wrote:

> Dick,
>
>> There is OpenID, the set of protocols, and an OpenID, and identifier.
>>
>> Is an OpenID identifier appropriate for your use cases? I don't  
>> think so.
>
> I'm torn on my answer here, to be honest.  We've tried for a very  
> long time to split authentication from authorization: anyone could  
> be given any identifier and it makes not a whit of difference,  
> because it doesn't necessarily grant any access or authorizations.   
> So, in principal, I totally agree with you.  I'd love this to be the  
> case because we could enhance identifiers and identities from other  
> IdP's/OP's with our own information, resulting in all kinds of good  
> things for users.
>
> In practice, this stance is often futile, just because applications  
> don't generally work that way(and proxying securely is really,  
> really hard).  Drives me nuts.

Hopefully the user-centric movement in identity will change that about  
applications. If you think about it now, the app generally does not  
put any trust in the identifier, it makes an LDAP call to someplace it  
trusts to determine what the identifier can do.

The model of the app asking the user for credentials so that it can  
determine what the user can do scales much better, and is not really  
any different then what is done today -- just inside out. :)

>
>
> Anyway, I don't see anything wrong with obtaining an OpenID  
> identifier in our use cases.  It just isn't itself meaningful for  
> these apps without the OP being trusted, and often trusted in a  
> specific way.  The same is true of any attributes sent too.  It's  
> all down to the RP to decide if it cares or not; I don't see an  
> identifier itself as materially different from any other information  
> about the user on this basis, and I think it could be used as a  
> user's primary key just fine for apps that need that.

I would argue that you are trying to use an OpenID identifier in a use  
case that it was not designed to be used.

>
>
>> BUT, you could use the protocols to request and receive a claim  
>> from a trusted source saying something about the user. We (Sxip)  
>> demoed some code to do that, but to date, the OpenID community has  
>> been focussed on other requirements.
>
> Exactly.
>
>> Which OP is managing an Identifier at a particular point in time  
>> should be irrelevant to the RP.
>
> I'd disagree with that on the premises that an OP can generally  
> spoof an identifier it manages at any point in time merely by  
> impersonating the user and skipping authentication.  Is that not the  
> case?

Your statement is correct.

If I have malware on my machine, it can take over any of my accounts  
and impersonate me as well. Where do we draw the line on the user  
making a security decision about who to trust to manage their identity?

My point is that putting that level of confidence in the OP is asking  
the protocol to do more then it was intended.

>
>
>> Let me know if this is resonating or not!
>
> Mostly, and I really appreciate the conversation.

Good, likewise!

-- Dick

More information about the general mailing list