[security] Username / password etc. is out of scope for OpenID
Dan Lyke
danlyke at flutterby.com
Thu Oct 26 18:25:05 UTC 2006
On Thu, 26 Oct 2006 11:06:39 -0700, Eddy Nigg (StartCom Ltd.) wrote:
> But there is a thing which I don't understand: Shouldn't OpenID
> (and all the others) be compatible between each other and interact?
GET https://idpidentificationauthority.com/isok/http://myopenidurl
Content-Type: text/xml
<reply><authorized>false</authorized>
<reason>Uses http, not https</reason></reply>
This is something that Relying Parties will presumably be using as a
condition of their adoption of very specific technologies (credit card
processing and the like). The Relying Party is already doing specific
things to work with their credit card processor, it seems like that
should really be a part of the libraries that do credit card
authorization.
If Visa wants to impose a standard on credit card processors, that's
Visa's business. If you want to be the go-between between Visa and the
credit card processors, more power to you! If, in building this third
party identification authority you can get Visa, MasterCard, Discover,
AmEx and PayPal to agree on a standard, then I'll consider abandoning
atheism.
Dan
More information about the security
mailing list