On 2013-02-23 12:18 AM, "Jay Ashworth" <[email protected]> wrote: > > ---- Original Message ----- > > From: "Marc A. Pelletier" <[email protected]> > > > On 02/22/2013 10:43 PM, Jay Ashworth wrote: > > > So, then, all OpenID guarantees is "this provider says it's the same > > > person it was last time"? > > > > The exact semantics is, IIRC, "that person has presented credential to > > us we accept as identifying them as our user $IDENTIFIER". Whether the > > client trusts that $IDENTIFIER is reasonably stable for their > > purposes, or that they trust our word, is their call. > > I'm translating that as "yes". :-) > > I've always looked with rather a jaundiced eye at OpenID, as it was sold > as "you can run your own authenticator service", and that always struck me > as "I am who I say I am", which is, obviously, pretty useless, in the > general case. (Early examples showed login boxes where you *provided > the URL of a random OID provider*; clearly, if the site doesn't trust > said provider, the transaction is useless.) > > Cheers, > -- jra > --
While that depends on your use case. In many situations it is the user's (and only the user's) problem if the oid provider is untrustworthy. It then becomes the users responsibility to pick a good oid provider. ( giving users security responsibilities - because that has never gone wrong ;). That said, in many ways no different from normal passwords: Users arent supposed to share passwords - users aren't supposed to pick oid providers they don't trust. What ive always wondered is what happens if your oid provider goes under/otherwise dissapears. I imagine that means you lose your user account all across the internet, which is a scary thought -bawolff _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
