Yahoo available AX attrs

Chris Messina chris.messina at gmail.com
Tue Dec 8 18:59:42 UTC 2009 

On Tue, Dec 8, 2009 at 10:18 AM, Joseph A Holsten
<joseph at josephholsten.com>wrote:

> I don't mean to troll. I just don't understand why RPs don't just trust the
> OP's word. Even if this is just a flag to show that Yahoo/JanRain/Google did
> the verification, aren't they going to have to ignore it when I send it from
> my OP of ill repute? If they're second guessing the OP based on
> verified-timestamp and i'm-the-postmaster-i-mean-it, that's at least
> something, though it'll still need a whitelist of OP that probably don't
> cheat.
>
> Am I nuts? Are RPs really saying they don't trust an email assertion from a
> whitelisted OP without a verified flag? Or that they aren't going to
> whitelist at all?
>

A better way to think about this is that an RP wants to know what kind of
certainty or validity there is to the data being provided by the OP.

If the OP allows the user to specify an email address without confirming it,
the RP should know that — and then do their own confirmation if that email
address is being used, say, for sending a receipt after a purchase, or for
recovering an account if a user forgets their OpenID (which happens more
than you'd imagine).

Thus if we ignore the "trust issue(s)", we begin to see that the "verified"
attribute has more to do with setting expectations around the quality of the
data being provided by the OP to the RP, giving the RP the ability to choose
what business-logic-rules to apply to the data.

While it would be nice for RPs to implicitly trust OP's assertions, and many
will, I think it's worthwhile to provide a mechanism for evaluating this
data.

Chris

-- 
Chris Messina
Open Web Advocate

Personal: http://factoryjoe.com
Follow me on Twitter: http://twitter.com/chrismessina

Citizen Agency: http://citizenagency.com
Diso Project: http://diso-project.org
OpenID Foundation: http://openid.net

This email is:   [ ] shareable    [X] ask first   [ ] private
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20091208/807b1987/attachment.htm>

More information about the specs mailing list