[security] Username / password etc. is out of scope for OpenID
Pete Rowley
prowley at redhat.com
Thu Oct 26 00:00:01 UTC 2006
Johannes Ernst wrote:
> I was asked to post this "reminder" to this list:
>
I believe the problem begins by calling the spec OpenID Authentication
when that is precisely what it doesn't define.
>> As the recent discussions on the list(s) show, one job we clearly
>> need to do much better than we have so far is communicating design
>> rationales.
>>
>> For example, one design choice is that OpenID makes no statements
>> about how a user authenticates against their IdP -- by
>> username/password, by hardware token, biometrics or not at all. The
>> rationale behind it is this lofty principle of "orthogonality" -- if
>> one can design two parts separately, we believe it's generally a good
>> idea to do so; so far, OpenID has defined one but left the other to
>> implementors.
>>
>> People may agree or disagree with this choice -- but we need to
>> explain much better why we made this choice, and how add-on's can be
>> constructed to meet additional requirements. I don't want to argue
>> this point right now, but just a reminder that that's the choice that
>> has been made.
--
Pete
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061025/04f93580/attachment-0002.bin>
More information about the security
mailing list