On Tue, Dec 8, 2009 at 10:18 AM, Joseph A Holsten <[email protected]>wrote:
> I don't mean to troll. I just don't understand why RPs don't just trust the > OP's word. Even if this is just a flag to show that Yahoo/JanRain/Google did > the verification, aren't they going to have to ignore it when I send it from > my OP of ill repute? If they're second guessing the OP based on > verified-timestamp and i'm-the-postmaster-i-mean-it, that's at least > something, though it'll still need a whitelist of OP that probably don't > cheat. > > Am I nuts? Are RPs really saying they don't trust an email assertion from a > whitelisted OP without a verified flag? Or that they aren't going to > whitelist at all? > A better way to think about this is that an RP wants to know what kind of certainty or validity there is to the data being provided by the OP. If the OP allows the user to specify an email address without confirming it, the RP should know that — and then do their own confirmation if that email address is being used, say, for sending a receipt after a purchase, or for recovering an account if a user forgets their OpenID (which happens more than you'd imagine). Thus if we ignore the "trust issue(s)", we begin to see that the "verified" attribute has more to do with setting expectations around the quality of the data being provided by the OP to the RP, giving the RP the ability to choose what business-logic-rules to apply to the data. While it would be nice for RPs to implicitly trust OP's assertions, and many will, I think it's worthwhile to provide a mechanism for evaluating this data. Chris -- Chris Messina Open Web Advocate Personal: http://factoryjoe.com Follow me on Twitter: http://twitter.com/chrismessina Citizen Agency: http://citizenagency.com Diso Project: http://diso-project.org OpenID Foundation: http://openid.net This email is: [ ] shareable [X] ask first [ ] private
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
