No subject


Thu Aug 31 20:54:33 PDT 2006 

requiring them to remember and type 2 different passwords to get into
your site. Once for your site, and once for the IdP. This would give
the security-concerned RP's a sense of extra control over the access
to their service at the cost of contributing to the "password for
every site" problem that OpenId aims to fix.

Switching from a username/password combo to an openid/password is
actually even more secure. I would-be intruder wouldn't be able to
even try to log into your site unless he first passed the OpenId
authentication check.

A RP has to do whatever it needs to do to make sure it trusts it's
user. If emails need to be verified, they can still be verified. (AX
will just make it faster) If they need to be CAPTHCA verified, then
the RP will still need to do that before they can trust the user.
Hopefully, once the upper layers of the OpenId Framework get underway
we'll even see a distributed way to transfer the image so I can enter
the letters on my IdP's page when I'm trying to decide what
information to send them.

I'm sure on most RP's the hypothetical no-password.com would be the
first entry in the IdP blacklist. (followed by everybody on the email
blacklist)

On 10/29/06, James A. Donald <jamesd at echeque.com> wrote:
>      --
> Dan Lyke wrote:
>  > Reputation systems merely require an identity which
>  > will be shared between systems. OpenID provides that.
>  >
>  > Reputation systems can be built on top of OpenID
>  > completely independently of OpenID.
>
> Presumably we want to assign a reputation both on the
> basis of the individual and of the identity provider, so
> not "completely independent".
>
>  > If you want a centralized login system with some
>  > weight to the sign-in process, both Yahoo and Google
>  > will let you use their user base. It's not that hard
>  > to sign up for those systems. Those users have been
>  > through a CAPTCHA authentication. Yahoo and Google
>  > both have TOS agreements under which they terminate
>  > users.
>
> "Open" should mean that multiple people can perform the
> role that Google performs.   At present, no one can
> perform the role that Google performs.  If the spammers
> start using Openid on Tuesday, what do we do on
> thursday?
>
>      --digsig
>           James A. Donald
>       6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
>       8nueTAX/6VjtbBAvHLFNUQgEnWcrEj4ceppUMoW6
>       4wdaKVHPVJ+hGKBLLODwTrVHlEWbi1PqWJUsFkZOs
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security
>

More information about the security mailing list