[OpenID] Abusing Authentication Failure messages
David Nicol
davidnicol at gmail.com
Mon Aug 23 17:42:20 UTC 2010
On Mon, Aug 23, 2010 at 11:28 AM, SitG Admin <
sysadmin at shadowsinthegarden.com> wrote:
> Maarten's perspective is that mandatory compliance, not optional
> compliance, inspires more trust.
>
Right. And he wants OpenID, as "OpenID," to start enforcing this. Which
isn't going to happen because the OpenID brand isn't about that. Something
else -- "OpenYetSecureID" or such -- could be the name for OpenID "done
right" from the security perspective.
I am not in a position to do anything other than pose the questions if the
two resulting conversations, "What exactly is the Secure OpenID BCP" and
"What do we call it?" are proper traffic for this list. I'm only here
because something earlier in the thread triggered a filter that routed the
message into a folder i regularly look at; I'm glad Shade was able to use
today's new .sig constructively, it's selection as a .sig was due to a
decision made prior to entering this discussion (FMTYNTK, yeah)
Ciao
Dave
--
"Elevator Inspection Certificate is on file in the Maintenance Office"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20100823/d257f716/attachment.html>
More information about the general
mailing list