OpenID Single-Sign-Off
Kristopher Tate
kris at bbridgetech.com
Fri Jul 1 16:46:25 PDT 2005
Kurt, It makes even _more_ sense because it's on the Internet.
The Internet is much bigger, and definitely less secure than a LAN.
This makes SSO protocols have to think about everything, from end to
end.
All of us want OpenID to be as light as possible, but honestly, I don't
know if it's safe to just allow users to go out there unaware if they
are logged in or out of any consumer. There are forgetful people who
use public computers frequently, people who might forget to logout of a
site, and trust that everything will be okay.
If we are never going to propose or accept a single sign-off mode, then
atleast we need standards/guidelines written in the spec explaining
good practices for both ID servers and consumers to deal with session
data.
-Kris
On 2005/07/01, at 4:34 PM, Kurt Raschke wrote:
> However, given that OpenID producers and consumers are on the
> Internet, and operated by various entities with various security
> policies in terms of session time-out and such, I'm not sure that it
> makes sense in this case.
>
> Is there something here I'm not seeing?
>
> -Kurt
>
>
More information about the yadis
mailing list