Trust/threat model for OpenID

Martin Atkins mart at
Fri Jul 28 18:08:04 UTC 2006

Thomas Broyer wrote:
> 2006/7/28, Timothy Parez:
>> OpenID handles authentication, authorization is totally up to you.
> No, OpenID handles identification, not even authentication.

Well, sort of.

You can't identify the particular person, but you *can* authenticate a 
token (the URL) representing that person. Unless something has gone 
wrong, no-one else should be able to claim that URL falsely.

Of course, it's quite possible (trivial, in fact) for someone to set up 
an identity provider that just lets anyone authenticate... but dealing 
with that is more of an authorization problem than an authentication one.

More information about the yadis mailing list