Yay! top post, bottom post, and now inline commenting in the same day/
list!
On Dec 8, 2009, at 12:28 PM, Breno de Medeiros wrote:
Comments inline.
On Tue, Dec 8, 2009 at 10:18 AM, Joseph A Holsten
<[email protected]> wrote:
I don't mean to troll. I just don't understand why RPs don't just
trust the
OP's word. Even if this is just a flag to show that Yahoo/JanRain/
Google did
the verification, aren't they going to have to ignore it when I
send it from
my OP of ill repute? If they're second guessing the OP based on
verified-timestamp and i'm-the-postmaster-i-mean-it, that's at least
something, though it'll still need a whitelist of OP that probably
don't
cheat.
An RP may trust the OP but have its own policies. For instance, an RP
may score accounts for 'spamminess', which is not a black-and-white
concept and a piece of information not available from the OP's
response. Validation date can be an important piece of information
enabling more fine-grained evaluation of an assertion.
Sure it's a fine grained solution, but it seems like tweezers when a
shovel is due. If RPs are actually this sophisticated, or lying to
sound this sophisticated, then more power to them. I concede that some
people are making life annoying enough for y'all that you don't need
me bikeshedding.
Am I nuts? Are RPs really saying they don't trust an email
assertion from a
whitelisted OP without a verified flag? Or that they aren't going to
whitelist at all?
An additional concern is that it is perfectly compatible with the AX
standard (some would say the original intent) that the OP asserts
user-provided values. Indeed, in the absence of a verified email
address, some RPs would be content to accept unverified ones. Being
able to express this status allows OPs to expose data at different
levels of assurance and address different use cases.
Sounds nifty. Any hints as to which RPs have committed to using these
features?
--
j
_______________________________________________
specs mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-specs
