this into the definitions?
Thanks Mike
Mike,
The OpenID Authentication spec intentionally doesn't define how an
OpenID provider authenticates users. You can use whatever mechanism
you want at the provider instead of a username and password.
--
Trevor Johns
http://tjohns.net
On Jan 4, 2008, at 12:45 AM, Artur Bergman wrote:
On Jan 4, 2008, at 7:28 AM, Trevor Johns wrote:
6. I can't see how this can be used securely. DNS is highly
vulnerable
to attack.
Which is why the internet isn't working at all. Ever, Never!
Hey, that's not fair!
DNS is well designed
click OK.
If a service provider detects an SSL failure, there's no person there
to press okay. Their server will just summarily deny the
authentication request.
The click OK problem is only between client-server communication.
This is server-server communication.
--
Trevor Johns
http
will be used as the user's claimed identifier).
The first case (email address is the claimed identifier) is definitely
preferable. However, like traditional OpenID delegation, care must be
taken to make sure that a malicious user isn't able to modify the
delegation pointer.
--
Trevor Johns
don't they just use that in the first place?
--
Trevor Johns
http://tjohns.net
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs
On Jan 3, 2008, at 10:28 PM, Trevor Johns wrote:
Erin,
While it sounds nice at first glance, there's are a number of problems
I see with this:
Oh, and one more I thought up right after I hit send:
7. If their email provider is willing to set up an OP they'd probably
also be willing