Trust/threat model for OpenID

[Fen Labalme]

Timothy Parez wrote:
> If an openID of an unkown registrar is presented your application
> should have a means of contacting the administrator and allowing him
> or her (not) to trust that new registrar after evaltuation.

This is where reputation systems come in.  And in order for an entity
represented by an OpenID (or any other verifiable token) to accrue reputation,
you don't have to know the person (or bot or dog...) "behind" the ID, only
that (as Johannes said) that it is the *same* entity every time.

Of course, you have to trust your reputation service, too.  Initially, there
will probably be a few major players, but a widely distributed reputation
systems will emerge, for this more closely mirrors our present reality.  We
each have people we trust for (say) fixing our car which are different than
the people we trust for teaching our kids or recommending pizza.

Reputation providers will have OpenIDs and protocols will emerge that enable
everyone to provide as well as consume reputation services.  Take it one step
further and promote reputation assertions (perhaps represented as a signed
triple) to first class objects - that is, they can accumulate reputation, too
- and you have a system that very nearly mirrors our experience.

But that's long term.  In the short term, the trust/threat model will depend
largely on who you trust to begin with, and I think rudimentary reputation
systems that rate IdPs will be necessary from the beginning.  While there are
less than (say) five IdPs we can do it informally, but we're going to need
some automated way of looking up an OpenID's reputation very quickly.

Opinity and Karmasphere are early players in the reputation services arena.
Do you guys have something to add to this picture?

=Fen