The problem with OpenID (TAKE 2)
SitG Admin
sysadmin at shadowsinthegarden.com
Mon May 17 15:19:40 UTC 2010
>The reason i am saying this is because we seem to have got ourselves
>stuck up on the idea that "Only symmetric keys will work". In spite
>of the fact that I am more or less in tune with this idea, have we
>"investigated the fact that asymmetric keys might be the solution to
>the Identity problem?".
Nice spin there: investigated the "fact"?
Controlled by users, doable. Are users ready for that yet? Apparently
not, though you might try asking the folks over at Diaspora.
>I know this will ruffle some feathers around here, but don't you
>think we need to give it a serious consideration for OpenID.
Out of scope for now: asymmetric crypto controlled by 3rd parties
(worse than escrow: in OpenID as currently stands, we'd be looking at
the equivalent of Trusted Computing) isn't user-centric identity. If
you really want your identity to *belong* to some 3rd party, consider
how difficult it would be to migrate to a new key based on a *shared*
secret.
-Shade
More information about the specs
mailing list