Trust/threat model for OpenID

Timothy Parez timothyparez at
Fri Jul 28 17:27:34 UTC 2006

That's what I thought as well,
I don't see why I should write my own sign-up code if this is already
provided by opened.

The first time a user logs in using OpenID the applications asks if he or
she wants to create
a profile in order to get access to the member-features of the site. If he
or she does
then I simply create an entry in my member table where the record is
identified by an openID string
instead of an e-mail address (as done in many cases).

I don't see why it should be less secure.

-----Original Message-----
From: OConnor, Brendan Francis [mailto:boconnor at] 
Sent: vrijdag 28 juli 2006 18:46
To: Timothy Parez
Subject: RE: Trust/threat model for OpenID

It would seem to me  that the use is exactly the same as any other system
where you allow a user to specify a username and password. Yahoo!
Mail comes to mind, Wikipedia, OSS Calendars,... The list goes on.

For any application where you aren't going to verify the authenticity
anyway, OpenID simplifies everything for you. At least, that's how it
appears to me.


-----Original Message-----
From: yadis-bounces at
[mailto:yadis-bounces at] On Behalf Of Timothy Parez
Sent: Friday, July 28, 2006 9:41 AM
To: yadis at
Subject: RE: Trust/threat model for OpenID

So, all OpenID does is identify someone, but it doesn't actually
authenticate the identification?
And there's no way (built in) to verify the authenticity of the
identification, then what is the use of OpenID all together... ? (if this is
100% true/correct)


-----Original Message-----
From: yadis-bounces at
[mailto:yadis-bounces at] On Behalf Of Thomas Broyer
Sent: vrijdag 28 juli 2006 14:52
To: yadis at
Subject: Re: Trust/threat model for OpenID

2006/7/28, Timothy Parez:
> OpenID handles authentication, authorization is totally up to you.

No, OpenID handles identification, not even authentication.

Thomas Broyer

More information about the yadis mailing list