While I'd certainly agree that a goal is letting anyone setup and IdP and have it work on any RP, I see that as utopia. The protocol should certainly support that, as well as not do anything to actively thwart it. With that said, OpenID as a protocol can be used in cases where this may not be desired. I agree that the best way to look at this is by creating a distributed trust/reputation network. This thus allows a RP to intelligently make a decision of if it should accept a given identifier, or the IdP it is hosted on. Right now I see this as needed to really bootstrap large scale adoption. Any word from Karmasphere about something like this Meng? --David P.S. Plain-text kills all fonts. :)
________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kaliya Hamlin Sent: Sunday, October 22, 2006 3:43 PM To: specs@openid.net Subject: Re: [PROPOSAL] Handle "http://[EMAIL PROTECTED]" Style Identifiers For starters please don't use Comic Sans in professional correspondence. it is very hard to read (or take seriously) http://bancomicsans.com/home.html On Oct 22, 2006, at 11:44 AM, Praveen Alavilli wrote: It's more of a problem with how we can accept 3rd party OpenId users at AOL (we as an RP). Obviously for simple use cases like leaving comments on blogs it wouldn't really matter as long as the user is identified by someone (and someone doing rate limiting or something else to prevent spamming - otherwise I still can't see how it reduces spam anyway) - but when we want to take it to the next level - provide more services to these users (photos/calendar/etc.. ) we want to limit it to only a few IDPs whom we trust. (due to both security and business reasons). This doesn't really work in the model. The goal is to let anyone set up their own OpenID and that basically across the OpenID universe it works. You limiting it to only like verisign or other 'big' IdP's is not really part of the vision of what we are trying to build. Obviously behind this whole network needs to be reputation for IdPs and individual OpenID addresses. So this is the problem we are trying to figure out how we can message the users that we support OpenIds from certain providers (say Verisign PIP) but not from all. This is one way to approach it and I hope you don't do it this way because it breaks what OpenID is about. Another area where we want some more clarification (if it already exists) or support is about how we can have a persistent handler (apart from URI) for a given user so it would help in cases when a user's account gets reclaimed by someone else. ahh...that is where further reading of what i-names and i-numbers are about would help. Because there is another level of indirection built in, when an i-name is reassigned the i-number below it is not. This helps users not have the 'reclaiming by someone else problem' when depending on URLs. ______________________________________ Identity Woman: Saving the world with user-centric identity. www.identitywoman.net _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
