[security] Username / password etc. is out of scope for OpenID
Johannes Ernst
jernst+openid.net at netmesh.us
Wed Oct 25 23:09:16 UTC 2006
I was asked to post this "reminder" to this list:
> As the recent discussions on the list(s) show, one job we clearly
> need to do much better than we have so far is communicating design
> rationales.
>
> For example, one design choice is that OpenID makes no statements
> about how a user authenticates against their IdP -- by username/
> password, by hardware token, biometrics or not at all. The
> rationale behind it is this lofty principle of "orthogonality" --
> if one can design two parts separately, we believe it's generally a
> good idea to do so; so far, OpenID has defined one but left the
> other to implementors.
>
> People may agree or disagree with this choice -- but we need to
> explain much better why we made this choice, and how add-on's can
> be constructed to meet additional requirements. I don't want to
> argue this point right now, but just a reminder that that's the
> choice that has been made.
Johannes Ernst
NetMesh Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pastedGraphic.tiff
Type: image/tiff
Size: 1962 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061025/74a0eff2/attachment-0002.tiff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 973 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061025/74a0eff2/attachment-0002.gif>
-------------- next part --------------
http://netmesh.info/jernst
More information about the security
mailing list