[security] Username / password etc. is out of scope for OpenID

Drummond Reed drummond.reed at cordance.net
Thu Oct 26 00:53:14 UTC 2006 

Eddy,

 

There's OpenID, and then there's OpenID Authentication. I think you're
talking about the larger OpenID framework, while David's talking about
OpenID Authentication as just one service in the OpenID framework. In that
context his description is accurate: OpenID Authentication simply proves you
(the operator of an HTTP(S) session) control a URI/XRI. I like this very
much to the widely-used closed-loop authentication of an email address
(http://en.wikipedia.org/wiki/Closed-loop_Authentication), except it is
applied in real-time to a URL or XRI. (And, if the outcome of all these
conversations are productive, a good deal more secure.)

 

However OpenID the framework can go well beyond just this one service, and
thus the larger topic of OpenID security extends beyond just this one
service (though it certainly includes it, as many other services in the
framework will rely on OpenID AuthN).

 

=Drummond 

 

  _____  

From: security-bounces at openid.net [mailto:security-bounces at openid.net] On
Behalf Of Eddy Nigg (StartCom Ltd.)
Sent: Wednesday, October 25, 2006 5:30 PM
To: security at openid.net
Subject: Re: [security] Username / password etc. is out of scope for OpenID

 

Well, based on that sentence alone, it's perhaps useless. What happens
before, after, behind, under and above that specific act (proving the
control of a URI)?

But sincerely, I don't believe, that anyone involved at OpenID has this
sentence in mind when speaking, defining, planning and discussing OpenID.
This is not what Dick from SXIP has in mind and that's not what you and I am
thinking...or am I mistaken on this assumption?

And if this is not the real definition of OpenID (Your sentence below), than
we perhaps need get back to the basics and fundamentals and start to define
these things...Anybody?

Recordon, David wrote: 

OpenID Authentication is about a user in a given browser session proving to
the RP that they control ("own") a given URI.

 

--David

 

  _____  

From: security-bounces at openid.net [mailto:security-bounces at openid.net] On
Behalf Of Eddy Nigg (StartCom Ltd.)
Sent: Wednesday, October 25, 2006 5:13 PM
Cc: security at openid.net
Subject: Re: [security] Username / password etc. is out of scope for OpenID

Recordon, David wrote: 

Feel like proposing a better name?
 
--David 

Oh no....Don't change the name...address the issues! RP's which make use of
OpenID are moving the authentication part to the IDP!  That's the first and
most important feature of OpenID. Or can you or anybody else tell me, what
OpenID is all about (there is also a Topic called Fundamentals, perhaps this
question belongs to the same category).

-- 

Regards

 

Signer:      Eddy Nigg, StartCom Ltd.

Phone:       +1.213.341.0390

 

-- 

Regards

 

Signer:      Eddy Nigg, StartCom Ltd.

Phone:       +1.213.341.0390

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061025/86234363/attachment-0002.htm>

More information about the security mailing list