Trust/threat model for OpenID
Timothy Parez
timothyparez at linux.be
Fri Jul 28 10:57:17 UTC 2006
I don't think any assumptions are being made except that the person has
identified himself.
The assumptions you make based on those identifications are completely up to
you.
OpenID handles authentication, authorization is totally up to you.
And if you really want to you can decide in your applications what openID
registrars you want to trust or not. Although this works against the idea
behind OpenID. Perhaps allowing all registrars and having a list of those
you do not trust might be better (for example a registrar that abuses
accounts or something)
Tim.
-----Original Message-----
From: yadis-bounces at lists.danga.com [mailto:yadis-bounces at lists.danga.com]
On Behalf Of Gabe Wachob
Sent: vrijdag 28 juli 2006 12:24
To: yadis at lists.danga.com
Subject: Trust/threat model for OpenID
Has someone written up a trust/security model for OpenID (ie who trusts who
for what, and what the threats are to the parties
involved?)
I'm not sure what assumptions are being made about the participating parties
so I'm not terribly comfortable assessing its use for a variety of
environments other than things like SSO to livejournal for posting comments
;-)
TIA
-Gabe
--
Gabe Wachob / gwachob at wachob.com \ http://www.wachob.com CTO, Amsoft /
gabe.wachob at amsoft.net \ http://www.amsoft.net
More information about the yadis
mailing list