[security] Who bears the risk..
Recordon, David
drecordon at verisign.com
Wed Nov 1 23:22:14 UTC 2006
I wouldn't see a problem with something like that today since the RP
currently doesn't know what sorts of authentication the IdP performs. I
think this is yet another reason reputation networks need to develop in
order to make assertions about IdPs.
--David
-----Original Message-----
From: security-bounces at openid.net [mailto:security-bounces at openid.net]
On Behalf Of Johannes Ernst
Sent: Thursday, October 26, 2006 7:32 PM
To: Dan Lyke
Cc: security at openid.net
Subject: Re: [security] Who bears the risk..
On Oct 26, 2006, at 19:16, Dan Lyke wrote:
> For instance, I may present random OpenID users with a CAPTCHA type
> puzzle the first time they log in, but I could skip that step if their
> Identity Provider appears to be someone whom I belive has already
> adequately verified that they're a human being.
I'd really hate it if that happened. Because I -- speaking about myself
-- would like to have a piece of software do a lot of things for me,
using my identity (and me being responsible for its actions).
If OpenID was only usable by people, a very big chunk of its
attractiveness would disappear for me ...
For example, I'd like it to log into that for-$ news site for me and
pull down the 10 most recent articles so I can put them onto my laptop
to read on the next flight. (or whatever, you get the point, there are
many cases like this one where I'm not operating a browser right then
and there ... ).
Johannes Ernst
NetMesh Inc.
More information about the security
mailing list