That was a nice reply Nate.. So would it be of some help, if i restrict the users to sign in through some trusted OPs instead of any x y z?? But by doing this am I not breaking one of the rules of thumb in OpenID concept?? That the users can authenticate themselves through any OP which if i restrict, would not be true in my website..<br>
<br clear="all">Warm Regards<br>Balasubramanian<br>Bob Hope - "I have a wonderful make-up crew. They're the same people restoring the Statue of Liberty."
<br><br>P.S: Its surprising that you've addressed me by my full name. people generally dont take the pain of typing (or pasting) all 15 characters and that too with proper spelling.. Ha. ha.. just a joke..<br><br><div class="gmail_quote">
On Tue, Feb 10, 2009 at 12:57 AM, Nate Klingenstein <span dir="ltr"><<a href="mailto:ndk@internet2.edu">ndk@internet2.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div style="">Balasubramanian,<div><br></div><div>It's pretty difficult to answer your question for a couple reasons.</div><div><br></div><div>First, there is a very large gradient between secure and insecure, and every application falls somewhere on that spectrum. You really need to assess how much security is really necessary so you can balance security with usability. There are a lot of attempts out there to build frameworks to help you analyze the quality of authentication and attributes your application needs. You can probably find one. Here is an old example for the U.S. Federal government:</div>
<div><br></div><div><a href="http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf" target="_blank">http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf</a></div><div><br></div><div>Second, there really is no way to gauge the security of any individual OpenID transaction because there is no trust framework. You're relying on the OP to do good identity-proofing, but there's incredible variability in OP's. Some just require a non-bouncing email, while others do identity proofing. Some do better authentication, like Kevin mentioned, and others are plaintext passwords over HTTP. There are some attempts at addressing this variety, like PAPE, but without any trust framework, you're still ultimately relying on the OP to just be honest. I hope upcoming work in the OpenID community will build support for trust frameworks.</div>
<div><br></div><div>Hope this helps,</div><div>Nate.</div><div><div></div><div class="Wj3C7c"><div><br></div></div></div></div></blockquote></div><br>