Trust/threat model for OpenID

Timothy Parez timothyparez at
Fri Jul 28 10:57:17 UTC 2006

I don't think any assumptions are being made except that the person has
identified himself.
The assumptions you make based on those identifications are completely up to

OpenID handles authentication, authorization is totally up to you.

And if you really want to you can decide in your applications what openID
registrars you want to trust or not. Although this works against the idea
behind OpenID. Perhaps allowing all registrars and having a list of those
you do not trust might be better (for example a registrar that abuses
accounts or something)


-----Original Message-----
From: yadis-bounces at [mailto:yadis-bounces at]
On Behalf Of Gabe Wachob
Sent: vrijdag 28 juli 2006 12:24
To: yadis at
Subject: Trust/threat model for OpenID

Has someone written up a trust/security model for OpenID (ie who trusts who
for what, and what the threats are to the parties

I'm not sure what assumptions are being made about the participating parties
so I'm not terribly comfortable assessing its use for a variety of
environments other than things like SSO to livejournal for posting comments



Gabe Wachob / gwachob at \ CTO, Amsoft /
gabe.wachob at \

More information about the yadis mailing list