[security] how secure is openid? advise pls..
Nate Klingenstein
ndk at internet2.edu
Tue Feb 10 01:53:24 UTC 2009
James,
> NO!
>
>
> Restricting users to only "some trusted OPs" absolutely breaks the
> core user-centric identity concept on which OpenID is built.
Please re-read Balasubramanian's comments. My response was, "yes, it
does break one of the rules of thumb," with the addition that many
other things are threatening those concepts today as well.
> That must not be done lightly. It should not be the first
> suggestion (particularly from an OpenID board member) without
> knowing the specifics of a particular web site and its users. Such
> restrictions might be appropriate for some specialist Relying
> Parties, but they should be the exceptions, not the norm.
I'm certainly not a board member, was not nominated, would be
flattered but refuse to serve if nominated, and wonder whether you
meant someone else.
Take care,
Nate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20090210/7e58fbf9/attachment-0002.htm>
More information about the security
mailing list