<div dir="ltr">I don't think Shane was saying it's great for low-security needs. But if you don't feel you can trust a random OP, Shane was saying you as an RP can choose to trust only certain OPs so they are not random. Microsoft HealthVault is an example of an RP that chooses merely 3 OPs to trust. The OPs on the other hand don't have to do any extra work.<br>
<br><div class="gmail_quote">On Sun, Oct 19, 2008 at 9:45 AM, Brandon Ramirez <span dir="ltr"><<a href="mailto:brandon.s.ramirez@gmail.com">brandon.s.ramirez@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div dir="ltr">So it's great security if you need very little security?<br><br>Transactions of value are precisely where we need federated identity. I have different logins for my bank, credit card company, car insurance, every everything under the sun. Except I can share identity between my blog and a site like Flicker.<br>
<font color="#888888">
<br>- Brandon</font><div><div></div><div class="Wj3C7c"><br><br><div class="gmail_quote">On Sun, Oct 19, 2008 at 12:36 PM, Shane B Weeden <span dir="ltr"><<a href="mailto:sweeden@au1.ibm.com" target="_blank">sweeden@au1.ibm.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left:1px solid rgb(204, 204, 204);margin:0pt 0pt 0pt 0.8ex;padding-left:1ex">
<br><tt><font size="2">Brandon: <br>
> [...] Why should I trust a random OP?<br>
> <br>
</font></tt>
<br><tt><font size="2">You shouldn't, and nobody is claiming you should for
any transaction of value. What does excite me about OpenID (and InfoCard
for that matter) over other SSO protocols like SAML is the zero cost of
onboarding additional RP's if I am acting as an IDP. All the RP needs to
do (besides following a best-practices secure deployment model) is define
that they trust the IDP (e.g. for OpenID define a trusted list of OP endpoints)
and the IDP need do nothing in particular.</font></tt>
<br>
<br><tt><font size="2">Sure, there are dynamic extensions to SAML like those
defined by Shibboleth for dynamic metadata sharing, but out-of-the-box
nothing I've been exposed to thus far quite matches the simplicity of the
OpenID model.</font></tt>
<br><font color="#888888">
<br><tt><font size="2">=shane</font></tt></font></blockquote></div><br></div></div></div>
<br>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<br></blockquote></div><br></div>