<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Nate Klingenstein:
<blockquote
cite="mid:B8BBB4B9-C956-49A3-B671-B4ED47AB0873@internet2.edu"
type="cite">
<pre wrap="">Dick,
</pre>
<blockquote type="cite">
<pre wrap="">The OP is the users agent managing their identity and the
architecture is such that the user should be able to choose any OP
they want.
You can trust the identifier from the OP the same as you can trust
the user in presenting their username and password.
</pre>
</blockquote>
<pre wrap=""><!---->
Are you sure? As a classical application, I request the username/
password directly from the user. Nobody (should, heh) know the
password besides me and the application, and it's (usually) protected
in transit.
</pre>
</blockquote>
<br>
I think username/password pairs shouldn't be used at all anymore and
when looking at <a class="moz-txt-link-freetext" href="http://openiddirectory.com/">http://openiddirectory.com/</a> for providers one might see
an interesting development and trend of using client certificate based
authentication. That's just a side-note about how OpenID providers
take on this issue more and more...in that respect the trust in OPs is
improving, but obviously there is no requirement at all for any type of
authentication...<br>
<br>
<br>
<div class="moz-signature">
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, <a href="http://www.startcom.org">StartCom Ltd.</a></td>
</tr>
<tr>
<td>Jabber: </td>
<td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
</tr>
<tr>
<td>Phone: </td>
<td>+1.213.341.0390</td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
<br>
</body>
</html>