On Mon, Feb 9, 2009 at 5:53 PM, Nate Klingenstein <[email protected]> wrote:
> > Restricting users to only "some trusted OPs" absolutely breaks the core > user-centric identity concept on which OpenID is built. > > Please re-read Balasubramanian's comments. My response was, "yes, it does > break one of the rules of thumb," with the addition that many other things > are threatening those concepts today as well. > Replace "OpenID" with "email" and I think you get a clearer picture of the answer to your question. Which email domains do you want to prevent users using for signing up for an account? Since most user accounts are as secure as someone's email account, I don't think that support OpenID weakens or lessens that situation, in fact, if you support SSL, you can improve it for your users — and provide them with a means to have greater security — through the choice of a secure OpenID Provider. It isn't that OpenID is or isn't more secure in and of itself. In combination with other technologies, it can change the threat model for user accounts on the web, moving away from usernames and passwords that are treated like confetti and strewn about across the web to one where an individual is incentivized to protect their identity/OpenID. In any case, familiarizing yourself with how OpenID works is critical. From a convenience perspective, I think preventing your users from having to create yet another username and password is certainly a benefit and worth considering as well. Chris -- Chris Messina Citizen-Participant & Open Web Advocate-at-Large factoryjoe.com # diso-project.org citizenagency.com # vidoop.com This email is: [ ] bloggable [X] ask first [ ] private
_______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
