[security] security

Sat Oct 28 22:48:41 UTC 2006

     --
Martin Atkins wrote:
 > The spec that we are calling "OpenID Authentication"
 > provides a protocol for an RP to ask an IdP whether
 > some user controls a given URI.
 >
 > It specifies the use of another protocol —Yadis —as a
 > mechanism to discover a list of IdPs that will answer
 > for a given URI.
 >
 > Anything else is outside of the scope of OpenID
 > Authentication.

This reminds me of similar conversations about PKI.

The problem is not whether Openid conforms to the Openid
specification, but whether the Openid specification is
good enough for the job.

The problem that Openid, as presently specified, solves
is one person posting to a blog pretending to be another
person who posts to that blog or another blog.

The problem that operators of blogs face is spam.

     --digsig
          James A. Donald
      6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
      4u86zeyPP+X4RV0dtUrfjFcfYSl6f2aIBbf4K/N2
      49+2EdGpvWdZAfJ9aAY/tLw5DSZb05U/b/6vFCIT2