[security] security

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Sun Oct 29 11:41:49 UTC 2006 

 Daniel E. Renfer wrote:
> There is one thing that I think I should point out that no one else
> has really mentioned because it kinda goes against what OpenId stands
> for. Correct me if I'm wrong but, there is nothing in the OpenId spec
> that prevents you from requiring your own password on top of the
> OpenId authentication.
>   
Which is exactly the opposite of the purpose of OpenID...In such a case,
for what should OpenID be good for in the first place?
> I'm sure on most RP's the hypothetical no-password.com would be the
> first entry in the IdP blacklist. (followed by everybody on the email
> blacklist)
>   
I guess, that no-password.com is not so hypothetical, but exists already
in similar forms....My suggestion however would be, to handle a central
list of GOOD IDP's instead of starting a bunch of black lists as they
are in SMTP. The advantage would also be, that the list starts with
positives instead of negatives, which you first don't know where and who
they are and have to be discovered first. Bad IDP's usually get
discovered only after some damage has been done and with todays
possibilities, the blacklist would always be behind...

Such a central registry would not prevent the adding of additional
registries or networks, but would guaranty a basic adherence to a
defined standard, making OpenID in every form useful, for hobbyists and
commercial providers alike.

-- 
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Phone:       +1.213.341.0390

	
Eddy Nigg <http://www.startcom.org> <eddy_nigg at startcom.org
<mailto:eddy_nigg at startcom.org>>
StartCom Ltd. - StartCom CA - MediaHost (TM)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061029/4a6acd03/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eddy_nigg.vcf
Type: text/x-vcard
Size: 636 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061029/4a6acd03/attachment-0002.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7282 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061029/4a6acd03/attachment-0002.bin>

More information about the security mailing list