[security] Nonrepudiation, and Trusting OpenID Providers
Brandon Ramirez
brandon.s.ramirez at gmail.com
Fri Dec 11 03:37:35 UTC 2009
So OpenID is good when security is of little importance? I'm not trying to
be a pain, but the classic response to the trust argument is always that
OpenID is meant for use cases where security isn't important.
The problem is that to every RP, security IS important. To them.
- Brandon
On Thu, Dec 10, 2009 at 4:49 PM, Jacob Bellamy <toarms at gmail.com> wrote:
>
> This might be a silly question, but isn't the interactions between banks
> and government inherently different from say, a users interaction with
> livejournal? In the former case, security takes precedence, and in the
> latter usability does. If a bank or government institution is an RP, then
> they should have every right to demand you use an OP which they trust- and
> if this is the case, then it is just a matter of using whitelists. Users
> should be wary regardless of using the same identity which they would use to
> log in to social networking sites, in the same manner in which they should
> be wary of using the same password for their hotmail and for their bank.
>
>
>
> _______________________________________________
> security mailing list
> security at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-security
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20091210/77a5db5c/attachment.htm>
More information about the security
mailing list