Agreed, OpenID does not identify a *person*, rather that the user of the current browser session has control over the given URI. This is the same as email, you can't guarantee the email server only allows one person to use each address.
I think the issue is that for IdPs doing nothing other than being an IdP, this won't be a concern. Though people making IdPs out of other applications, this could be a problem. Thus making it required seems to actually hurt us since as Mart said they'll just say they did it. :-\ --David -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dick Hardt Sent: Monday, October 02, 2006 9:33 AM To: Martin Atkins Cc: email@example.com Subject: Re: [PROPOSAL] authentication age On 2-Oct-06, at 2:48 AM, Martin Atkins wrote: > Recordon, David wrote: >> That was going to be my exact follow-up to my own message, though got >> distracted. What I phrased was how Dick described it. >> >> I like the feature, though agree that many IdPs may be unable to >> implement it due to how they do session handling. It could be >> augmented to also contain a response parameter telling the RP if the >> IdP acknowledged it, then the RP could make the decision if it wants >> to proceed. >> > > But again, IdPs will just send it whether they did it or not, because > it's like a "make it work" flag; people will quickly forget/dismiss > what it really means and set it just to make their IdP work. > > Unless you've got some way to *prove* that you did it (I can't think > of > one) there's no point. > > This also ignores the fact that not all "IdPs" are going to use > sessions and passwords. One could potentially make one that acts on a > presented certificate, for example. Or one which just returns "Yes" to > everything as an anonymising tool. OpenID, like many other protocols, places trust on the IdP that it will operate per the protocol. The user takes responsibility for choosing an IdP that they trust to operate appropriately. eg: There is nothing that stops an IdP from *proving* a particular URL belongs to a particular user. Currently I have blame.ca pointing to dick.hardt.myopenid.com, the myopenid.com server could state any user at myopenid.com owns blame.ca, but I trust myopenid.com to not do that. There is no way to *prove* it is me using the URL. -- Dick _______________________________________________ specs mailing list firstname.lastname@example.org http://openid.net/mailman/listinfo/specs _______________________________________________ specs mailing list email@example.com http://openid.net/mailman/listinfo/specs