[OpenID] Created OpenID twitter group at twibes.com

[SitG Admin]

>registrar would have verified you in some way or the other. You can always
>trust the registrant of the domain.

And there we have OpenID's main centralized element; DNS - just for a 
lark, try changing your personal site's IP through your registrar - 
see how much authentication they ask you for to do this. Do you 
receive any notification of the change? Would you ever know, if it 
were changed for a few minutes and then immediately changed back? For 
a big business site, where thousands of users are connecting each 
minute, visitors who know the site's expected layout and will notice 
if it does not appear as expected, you *might* get at least one of 
those to complain - but the attacker could set up something that 
looks like a 404 error page (or "server temporarily experiencing 
problems, please try again in a few minutes" and most users would 
never know the difference. (Connections over SSL, if they are placing 
orders or dealing with sensitive information, should be an 
exception.) For a small personal site, it's unlikely anyone will 
notice.

As for always trusting the registrant of a domain, there, sadly, we 
get back to a fundamental truth of authentication: a person 
submitting credentials over the internet is not necessarily the 
person who "owns" those credentials. (It could be someone who has 
stolen them. Or legally received a copy through key escrow.) OpenID 
lets us incorporate every authentication measure we or anyone else 
can bring to bear, raising the bar until even *we're* happy with it 
(I hope to someday receive different biometric assurances from 
multiple OP's, yet I know that even this would probably be too easily 
fooled), but it's next to meaningless if the OpenID protocol itself 
utilizes DNS (with no SSL, which is why some of us keep insisting 
that SSL *is* necessary for OpenID!) - an attacker will simply go 
after the weakest link in a chain, DNS.

>So if you claim your own domain as your OpenId, and your email address has
>that domain, that should be fine. If you want you can also run your own OP.

Actually, it's *not* fine - at least, not necessarily. OP's run from 
HTTP/HTTPS, but E-mail can be assigned different handling at the 
registrar - meaning that even your big business site might enjoy 
uninterrupted service from customers while an attacker played MITM to 
get their own E-mail address at the server and authenticate with it 
at some site that trusted E-mail addresses.

>The trust issue begins with subdomains as OpenID's where your need to trust
>the domain owner.

And there are solutions for this as well:
http://openid.net/pipermail/general/2008-July/005115.html
The required aggregation is, as Nate pointed out, tricky; but it 
*does* get you the "distributed identity" part of a "distributed 
internet" that OpenID (as merely one component, of many, in the 
internet) can provide us with.

-Shade