<br><br><div class="gmail_quote">On Mon, Feb 9, 2009 at 5:53 PM, Nate Klingenstein <span dir="ltr"><<a href="mailto:ndk@internet2.edu">ndk@internet2.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div style="word-wrap:break-word"><div><div class="Ih2E3d"><blockquote type="cite"><p style="margin:0.0px 0.0px 0.0px 0.0px;font:12.0px Helvetica;min-height:14.0px"><br></p> <p style="margin:0.0px 0.0px 0.0px 0.0px"><font face="Helvetica" size="3" style="font:12.0px Helvetica">Restricting users to only "some trusted OPs" absolutely breaks the core user-centric identity concept on which OpenID is built.</font></p>
</blockquote></div><div>Please re-read Balasubramanian's comments. My response was, "yes, it does break one of the rules of thumb," with the addition that many other things are threatening those concepts today as well.</div>
</div></div></blockquote><div><br></div><div>Replace "OpenID" with "email" and I think you get a clearer picture of the answer to your question. Which email domains do you want to prevent users using for signing up for an account?</div>
<div><br></div><div>Since most user accounts are as secure as someone's email account, I don't think that support OpenID weakens or lessens that situation, in fact, if you support SSL, you can improve it for your users — and provide them with a means to have greater security — through the choice of a secure OpenID Provider. </div>
</div><br>It isn't that OpenID is or isn't more secure in and of itself. In combination with other technologies, it can change the threat model for user accounts on the web, moving away from usernames and passwords that are treated like confetti and strewn about across the web to one where an individual is incentivized to protect their identity/OpenID.<br clear="all">
<br><div>In any case, familiarizing yourself with how OpenID works is critical. From a convenience perspective, I think preventing your users from having to create yet another username and password is certainly a benefit and worth considering as well.</div>
<div><br></div><div>Chris</div><div><br>-- <br>Chris Messina<br>Citizen-Participant &<br> Open Web Advocate-at-Large<br><br><a href="http://factoryjoe.com">factoryjoe.com</a> # <a href="http://diso-project.org">diso-project.org</a><br>
<a href="http://citizenagency.com">citizenagency.com</a> # <a href="http://vidoop.com">vidoop.com</a><br>This email is: [ ] bloggable [X] ask first [ ] private<br>
</div>