On 06/09/2010 01:57 AM, From John Kemp:
Well, perhaps, and I would also note that I actually like self-assertion. I don't have a problem with it for lots of use-cases. I don't think it's a problem that people can lie either.
And considering http://esw.w3.org/Foaf%2Bssl/FAQ#How_does_this_improve_over_X.509_or_GPG_Certificates.3F it all depends what you want to protect. If it's some social web site authentication, it might be reasonable to rely on social buddies. But for anything with real value, do you really want to rely on some unknown claims and assertions? Would you give out your company's secrets based on some folks claiming to know Henry or perform a financial or other transaction based on claims made by some web buddies? I wouldn't put my money on that ever.
But the reason people want identity providers, I think, and the potential (note: potential) value they bring is the ability to make an assertion backed up by something close to facts - ie. a verification or "real" authentication process.
In addition to potentially well defined procedures, public key infrastructure, warranties, auditing and more...
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: [email protected] <xmpp:[email protected]>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
