Trust/threat model for OpenID
Martin Atkins
mart at degeneration.co.uk
Fri Jul 28 18:08:04 UTC 2006
Thomas Broyer wrote:
> 2006/7/28, Timothy Parez:
>> OpenID handles authentication, authorization is totally up to you.
>
> No, OpenID handles identification, not even authentication.
>
Well, sort of.
You can't identify the particular person, but you *can* authenticate a
token (the URL) representing that person. Unless something has gone
wrong, no-one else should be able to claim that URL falsely.
Of course, it's quite possible (trivial, in fact) for someone to set up
an identity provider that just lets anyone authenticate... but dealing
with that is more of an authorization problem than an authentication one.
More information about the yadis
mailing list