[OpenID] OpenID appropriate here?

[Nate Klingenstein]

Isak,

If you aren't comfortable trusting the issuer/OP of a credential,  
then you're not likely to find federated identity of any flavor,  
including OpenID, an acceptable solution.  The RP is, as the name  
would imply, totally reliant on the OP to properly authenticate users.

If you can't do that and you'd need to fall back on additional  
confirmation -- e.g. RP-based authentication, as you describe -- then  
the only additional benefit is having a common identifier for the  
user.  That's not a really big use case in the face of extra work for  
your users.

Hopefully you'll reach a state where you can trust the issuers at  
some point.

Take care,
Nate.

On 30 May 2008, at 15:02, Isak Hansen wrote:

> #2 doesn't trust the first system (we do have full control over #1,
> but need to support other #1-like clients that we cannot trust).
>
> We want to avoid storing the users' plaintext password (for #2) in
> #1's db. Asking them for a password on demand could work, but isn't
> very convenient for the user.
>
> Would OpenID work for us?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080530/3052e622/attachment-0002.htm>