Trust/threat model for OpenID

Recordon, David drecordon at
Fri Jul 28 16:56:53 UTC 2006

The protocol itself doesn't specify how the person authenticates to
their Identity Provider, but the result of the protocol flow is proof
that the user authenticated to the Identity Provider and controls the
given URL/i-name.  Obviously there could be IdPs that require no
authentication (just as there are mail servers which are open relays),
but relying parties would quickly no longer trust them.


-----Original Message-----
From: yadis-bounces at
[mailto:yadis-bounces at] On Behalf Of Timothy Parez
Sent: Friday, July 28, 2006 9:41 AM
To: yadis at
Subject: RE: Trust/threat model for OpenID

So, all OpenID does is identify someone, but it doesn't actually
authenticate the identification?
And there's no way (built in) to verify the authenticity of the
identification, then what is the use of OpenID all together... ? (if
this is 100% true/correct)


-----Original Message-----
From: yadis-bounces at
[mailto:yadis-bounces at] On Behalf Of Thomas Broyer
Sent: vrijdag 28 juli 2006 14:52
To: yadis at
Subject: Re: Trust/threat model for OpenID

2006/7/28, Timothy Parez:
> OpenID handles authentication, authorization is totally up to you.

No, OpenID handles identification, not even authentication.

Thomas Broyer

More information about the yadis mailing list