[security] Nonrepudiation, and Trusting OpenID Providers
SitG Admin
sysadmin at shadowsinthegarden.com
Tue Dec 8 00:56:49 UTC 2009
>This is because a relying party cannot tell the difference between a
>user attempting to log in using his or her identifier, and the
>user's OpenID provider spoofing that user to gain access to whatever
>services the relying party provides to that user.
This is correct, yes. See this post:
http://lists.openid.net/pipermail/openid-general/2008-July/014536.html
Also see David Fuelling's work on MultiAuth.
-Shade
More information about the security
mailing list