On 2/20/07, Phil Kulak <[EMAIL PROTECTED]> wrote: > Whitelisting would be an option, but I'm not sure I like it. The most > secure identity provider can be the one hosted on your own box, so it > seems a little odd that those are the ones I wouldn't allow. Do you > mean that I could set up some kind of click-through and have it show > up only if the user's IP is not on the whitelist? That could be an > option.
I was suggesting that you whitelist OpenID providers, and show the click-through if the user has an OP that is not on the whitelist, since you don't know anything about that provider. It won't be very common that an OP can be hosted on a person's own computer, since an OP needs to be reachable by the relying party (for association or check_authentication) and most people's computers are behind a firewall or at least don't have static IPs. Josh _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
