[OpenID] Combining Google & Yahoo user experience research

Brandon Ramirez brandon.s.ramirez at gmail.com
Mon Oct 20 18:04:58 UTC 2008


My thoughts exactly.  Whitelisting or blacklisting OP's seems like an RP
would be constantly chasing ghosts.  That is not a maintainable solution for
two reasons:

1. One would need to keep on top of all providers constantly, and be ready
to blacklist one that stops complying with the RP's policies.  What happens
to existing users of that service who use that OP?  That's a UX problem.
2. The list of whitelisted/blacklisted providers would vary from one RP to
another.  This creates inconsistency and would result in a consumer needing
to have several OpenID's, one with each major provider, which more or less
defeats the purpose of WebSSO...

As I've said before, the same problem once existed with hosts files and then
we got DNS.

- Brandon

On Mon, Oct 20, 2008 at 1:36 PM, Paul Madsen <paulmadsen at rogers.com> wrote:

> Peter, how would OpenID keep the user-centric principle (which I believe
> for you means allowing the user's choice for an OP trump that of RPs?)
> in 'some or other form'?
>
> It seems a binary issue, i.e. an RP either has a whitelist (implying
> that the user must pick OPs from within if they want to authenticate
> that route or doesnt (implying that the user is not constrained in their
> OP choice)
>
> Is there some meaningful middle ground?
>
> For the RP to base it's decision on something more dynamic like OP
> reputation is more flexible, but it still means eventually the RP will
> have to say 'no' to some User when they present their OP.
>
> paul
>
> Peter Williams wrote:
> > This is what the openid vs saml issue is really all about. If openid
> loses its uci roots, there is really no reason for openid to exist in my
> views. If it keeps uci at least in some or other strong form, its made a big
> difference.
> >
> > Saml is about banks and ttp culture.
> > Openid is about people (versus people as mere  "users" of such as ttp
> banks).
> >
> > Of course, both sets of bits and bytes can easily actually address the
> other's communities. But thats not the point.
> >
> > -----Original Message-----
> > From: Martin Atkins <mart at degeneration.co.uk>
> > Sent: Sunday, October 19, 2008 11:45 PM
> >
> > To be honest, I don't
> > care what my bank trusts. I care what I trust.
> >
> > _______________________________________________
> > general mailing list
> > general at openid.net
> > http://openid.net/mailman/listinfo/general
> > _______________________________________________
> > general mailing list
> > general at openid.net
> > http://openid.net/mailman/listinfo/general
> >
> >
> >
>
> --
> Paul Madsen             e:paulmadsen @ ntt-at.com
> NTT                     p:613-482-0432
>                        m:613-282-8647
>                        aim:PaulMdsn5
>                        web:connectid.blogspot.com
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081020/9f994b33/attachment-0002.htm>


More information about the general mailing list