[security] Username / password etc. is out of scope for OpenID
Alaric Dailey
alaricdailey at hotmail.com
Thu Oct 26 01:29:55 UTC 2006
>> No central authority must approve or register Relying Parties or
Identity Providers.
> I have a problem with this one, since I believe, that there might be in
the end some kind of
> authority for compliance reasons perhaps, specially on the IDP's...But
this is perhaps for
> later after we agree, that there must be a certain compliance by the
IDP's.
My 2 cents:
I completely agree with the premise, and am not sure that Eddy ACTUALLY
disagrees...
I think what the spec is trying to say is that they don't want have a
central company giving its blessing as to whether or not your site may be an
IdP. On the other hand Eddy is concerned that some effort should be made to
prove an IdP is who they say they are. This is what CAs are designed for.
More information about the security
mailing list