[OpenID] Community Reputation Services
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Fri May 23 17:56:53 UTC 2008
Nate Klingenstein:
> Dick,
>
>
>> The OP is the users agent managing their identity and the
>> architecture is such that the user should be able to choose any OP
>> they want.
>> You can trust the identifier from the OP the same as you can trust
>> the user in presenting their username and password.
>>
>
> Are you sure? As a classical application, I request the username/
> password directly from the user. Nobody (should, heh) know the
> password besides me and the application, and it's (usually) protected
> in transit.
>
I think username/password pairs shouldn't be used at all anymore and
when looking at http://openiddirectory.com/ for providers one might see
an interesting development and trend of using client certificate based
authentication. That's just a side-note about how OpenID providers take
on this issue more and more...in that respect the trust in OPs is
improving, but obviously there is no requirement at all for any type of
authentication...
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080523/06713cef/attachment-0002.htm>
More information about the general
mailing list