[security] Username / password etc. is out of scope for OpenID
Gabe Wachob
gabe.wachob at amsoft.net
Thu Oct 26 00:03:36 UTC 2006
I 100% agree with Pete here.
OpenID is, from an RP's POV, an authentication outsourcing protocol.
>From a user's POV, it's an authentication reuse protocol.
But it's definitely NOT an authentication protocol... in fact authentication
is totally optional. And that's a feature! At least for now...
-Gabe
> -----Original Message-----
> From: security-bounces at openid.net [mailto:security-bounces at openid.net] On
> Behalf Of Pete Rowley
> Sent: Wednesday, October 25, 2006 5:00 PM
> To: Johannes Ernst
> Cc: security at openid.net
> Subject: Re: [security] Username / password etc. is out of scope for
> OpenID
>
> Johannes Ernst wrote:
> > I was asked to post this "reminder" to this list:
> >
> I believe the problem begins by calling the spec OpenID Authentication
> when that is precisely what it doesn't define.
> >> As the recent discussions on the list(s) show, one job we clearly
> >> need to do much better than we have so far is communicating design
> >> rationales.
> >>
> >> For example, one design choice is that OpenID makes no statements
> >> about how a user authenticates against their IdP -- by
> >> username/password, by hardware token, biometrics or not at all. The
> >> rationale behind it is this lofty principle of "orthogonality" -- if
> >> one can design two parts separately, we believe it's generally a good
> >> idea to do so; so far, OpenID has defined one but left the other to
> >> implementors.
> >>
> >> People may agree or disagree with this choice -- but we need to
> >> explain much better why we made this choice, and how add-on's can be
> >> constructed to meet additional requirements. I don't want to argue
> >> this point right now, but just a reminder that that's the choice that
> >> has been made.
>
> --
> Pete
More information about the security
mailing list