[security] Username / password etc. is out of scope for OpenID
Johannes Ernst
jernst+openid.net at netmesh.us
Thu Oct 26 00:12:48 UTC 2006
Hang on, guys.
It does authenticate one object in cyberspace against another.
It does not authenticate one object in meatspace against one in
cyberspace.
At least that's the way I look at it.
On Oct 25, 2006, at 17:05, Recordon, David wrote:
> Feel like proposing a better name?
>
> --David
>
> -----Original Message-----
> From: security-bounces at openid.net [mailto:security-bounces at openid.net]
> On Behalf Of Gabe Wachob
> Sent: Wednesday, October 25, 2006 5:04 PM
> To: 'Pete Rowley'; 'Johannes Ernst'
> Cc: security at openid.net
> Subject: Re: [security] Username / password etc. is out of scope for
> OpenID
>
> I 100% agree with Pete here.
>
> OpenID is, from an RP's POV, an authentication outsourcing protocol.
>
>> From a user's POV, it's an authentication reuse protocol.
>
> But it's definitely NOT an authentication protocol... in fact
> authentication is totally optional. And that's a feature! At least for
> now...
>
> -Gabe
>
>> -----Original Message-----
>> From: security-bounces at openid.net [mailto:security-
>> bounces at openid.net]
>
>> On Behalf Of Pete Rowley
>> Sent: Wednesday, October 25, 2006 5:00 PM
>> To: Johannes Ernst
>> Cc: security at openid.net
>> Subject: Re: [security] Username / password etc. is out of scope for
>> OpenID
>>
>> Johannes Ernst wrote:
>>> I was asked to post this "reminder" to this list:
>>>
>> I believe the problem begins by calling the spec OpenID
>> Authentication
>
>> when that is precisely what it doesn't define.
>>>> As the recent discussions on the list(s) show, one job we clearly
>>>> need to do much better than we have so far is communicating design
>>>> rationales.
>>>>
>>>> For example, one design choice is that OpenID makes no statements
>>>> about how a user authenticates against their IdP -- by
>>>> username/password, by hardware token, biometrics or not at all. The
>
>>>> rationale behind it is this lofty principle of "orthogonality" --
>>>> if one can design two parts separately, we believe it's generally a
>
>>>> good idea to do so; so far, OpenID has defined one but left the
>>>> other to implementors.
>>>>
>>>> People may agree or disagree with this choice -- but we need to
>>>> explain much better why we made this choice, and how add-on's can
>>>> be constructed to meet additional requirements. I don't want to
>>>> argue this point right now, but just a reminder that that's the
>>>> choice that has been made.
>>
>> --
>> Pete
>
>
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security
>
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security
Johannes Ernst
NetMesh Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pastedGraphic.tiff
Type: image/tiff
Size: 1962 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061025/4f96922a/attachment-0002.tiff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 973 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061025/4f96922a/attachment-0002.gif>
-------------- next part --------------
http://netmesh.info/jernst
More information about the security
mailing list