It sounds like you are conflating security, trust, level of assurance of
real identity (autonym/veronym) and of authentication.
In most transactions, you do not need autonym. For example, a ticket
vendor do not need to know who you are, but it has better make sure to
hand the concert ticket to the person who paid for it. It involves Level
of Assurance on authentication but it does not involve LoA on autonymity.
I do not have too much time right now so I do not dig deeper, but
considering these separately will help you understand the issue.
=nat
(2009/12/11 12:37), Brandon Ramirez wrote:
So OpenID is good when security is of little importance? I'm not
trying to be a pain, but the classic response to the trust argument is
always that OpenID is meant for use cases where security isn't important.
The problem is that to every RP, security IS important. To them.
- Brandon
On Thu, Dec 10, 2009 at 4:49 PM, Jacob Bellamy <[email protected]
<mailto:[email protected]>> wrote:
This might be a silly question, but isn't the interactions between
banks and government inherently different from say, a users
interaction with livejournal? In the former case, security takes
precedence, and in the latter usability does. If a bank or
government institution is an RP, then they should have every right
to demand you use an OP which they trust- and if this is the case,
then it is just a matter of using whitelists. Users should be
wary regardless of using the same identity which they would use to
log in to social networking sites, in the same manner in which
they should be wary of using the same password for their hotmail
and for their bank.
_______________________________________________
security mailing list
[email protected] <mailto:[email protected]>
http://lists.openid.net/mailman/listinfo/openid-security
_______________________________________________
security mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-security
--
Nat Sakimura ([email protected])
Nomura Research Institute, Ltd.
Tel:+81-3-6274-1412 Fax:+81-3-6274-1547
_______________________________________________
security mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-security
