So would it be of some help, if i restrict the users to sign in through some trusted OPs instead of any x y z??
The question then becomes - how do you know you can trust a given OP?
But by doing this am I not breaking one of the rules of thumb in OpenID concept?? That the users can authenticate themselves through any OP which if i restrict, would not be true in my website..
You can always look for assertions that the OP has implemented various authentication mechanisms (biometrics, for instance), and then - provided, of course, that you *believe* the OP has actually applied these challenges properly - display a message to the user saying "This site has been told by your OP that you passed your OP's biometric authentication method. If you have not been challenged for your fingerprint or similar data, be advised that your OP is exchanging in fraudulent transactions and you should find another OP."
Or, if those assertion are *not* present, inform the user that their OP has vouched for them but the level of security is not sufficient to permit full services. You might also deny them further service entirely, on the grounds that the nature of your site does not readily lend itself to the concept of partial services, or that programming granularity in those services would be more trouble than it's worth.
-Shade _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
