No subject

But it's definitely NOT an authentication protocol... in fact
authentication is totally optional. And that's a feature! At least for
now...

	-Gabe

> -----Original Message-----
> From: security-bounces at openid.net [mailto:security-bounces at openid.net]

> On Behalf Of Pete Rowley
> Sent: Wednesday, October 25, 2006 5:00 PM
> To: Johannes Ernst
> Cc: security at openid.net
> Subject: Re: [security] Username / password etc. is out of scope for=20
> OpenID
>=20
> Johannes Ernst wrote:
> > I was asked to post this "reminder" to this list:
> >
> I believe the problem begins by calling the spec OpenID Authentication

> when that is precisely what it doesn't define.
> >> As the recent discussions on the list(s) show, one job we clearly=20
> >> need to do much better than we have so far is communicating design=20
> >> rationales.
> >>
> >> For example, one design choice is that OpenID makes no statements=20
> >> about how a user authenticates against their IdP -- by=20
> >> username/password, by hardware token, biometrics or not at all. The

> >> rationale behind it is this lofty principle of "orthogonality" --=20
> >> if one can design two parts separately, we believe it's generally a

> >> good idea to do so; so far, OpenID has defined one but left the=20
> >> other to implementors.
> >>
> >> People may agree or disagree with this choice -- but we need to=20
> >> explain much better why we made this choice, and how add-on's can=20
> >> be constructed to meet additional requirements. I don't want to=20
> >> argue this point right now, but just a reminder that that's the=20
> >> choice that has been made.
>=20
> --
> Pete


_______________________________________________
security mailing list
security at openid.net
http://openid.net/mailman/listinfo/security