Agreed, OpenID does not identify a *person*, rather that the user of the
current browser session has control over the given URI.  This is the
same as email, you can't guarantee the email server only allows one
person to use each address.

I think the issue is that for IdPs doing nothing other than being an
IdP, this won't be a concern.  Though people making IdPs out of other
applications, this could be a problem.  Thus making it required seems to
actually hurt us since as Mart said they'll just say they did it. :-\


-----Original Message-----
Behalf Of Dick Hardt
Sent: Monday, October 02, 2006 9:33 AM
To: Martin Atkins
Subject: Re: [PROPOSAL] authentication age

On 2-Oct-06, at 2:48 AM, Martin Atkins wrote:

> Recordon, David wrote:
>> That was going to be my exact follow-up to my own message, though got

>> distracted.  What I phrased was how Dick described it.
>> I like the feature, though agree that many IdPs may be unable to 
>> implement it due to how they do session handling.  It could be 
>> augmented to also contain a response parameter telling the RP if the 
>> IdP acknowledged it, then the RP could make the decision if it wants 
>> to proceed.
> But again, IdPs will just send it whether they did it or not, because 
> it's like a "make it work" flag; people will quickly forget/dismiss 
> what it really means and set it just to make their IdP work.
> Unless you've got some way to *prove* that you did it (I can't think 
> of
> one) there's no point.
> This also ignores the fact that not all "IdPs" are going to use 
> sessions and passwords. One could potentially make one that acts on a 
> presented certificate, for example. Or one which just returns "Yes" to

> everything as an anonymising tool.

OpenID, like many other protocols, places trust on the IdP that it will
operate per the protocol.
The user takes responsibility for choosing an IdP that they trust to
operate appropriately.

eg: There is nothing that stops an IdP from *proving* a particular URL
belongs to a particular user.

Currently I have pointing to, the server could state any user at owns,
but I trust to not do that. There is no way to
*prove* it is me using the URL.

-- Dick

specs mailing list

specs mailing list

Reply via email to