[security] Who bears the risk..

Fri Oct 27 02:35:37 UTC 2006

Dan Lyke wrote:
> As a Relying Party you can do anything you want.
>
> For instance, I may present random OpenID users with a CAPTCHA type  
> puzzle the first time they log in, but I could skip that step if their  
> Identity Provider appears to be someone whom I belive has already  
> adequately verified that they're a human being.
>
> OpenID is about logins, not reputation. Means for reputation can be  
> built around it, but in my mind it's just about providing a repeatable  
> identifier and not making them reveal authorization information to a  
> gazillion different sites.
>   
Yes and no....But Pete answered most of the question, of which the
answer I actually knew before...Somehow LiveJournal's (bad)
implementation as an RP disturbed my thinking...

I think, after having an almost required SSL security requirement for
RP's (which I hope we can improve and limit to LAN's and networks out of
the scope of public Internet for not being required), there is only the
IDP's implementation of the login facility left...For this I'll make
another example perhaps tomorrow...We are going now baby steps... ;-)

-- 
Regards

Signer:      Eddy Nigg, StartCom Ltd.
Phone:       +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061027/e29c5404/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eddy_nigg.vcf
Type: text/x-vcard
Size: 636 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061027/e29c5404/attachment-0002.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7282 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061027/e29c5404/attachment-0002.bin>