Trust/threat model for OpenID

Peter Davis peter.davis at neustar.biz
Fri Jul 28 18:36:23 UTC 2006


On 7/28/2006 2:08 PM, "Martin Atkins" <mart at degeneration.co.uk> wrote:

> Thomas Broyer wrote:
>> 2006/7/28, Timothy Parez:
>>> OpenID handles authentication, authorization is totally up to you.
>> 
>> No, OpenID handles identification, not even authentication.
>> 
> 
> Well, sort of.
> 
> You can't identify the particular person, but you *can* authenticate a
> token (the URL) representing that person. Unless something has gone
> wrong, no-one else should be able to claim that URL falsely.
> 
> Of course, it's quite possible (trivial, in fact) for someone to set up
> an identity provider that just lets anyone authenticate... but dealing
> with that is more of an authorization problem than an authentication one.

Well, you are not authenticating the binding of the identifier with a user
agent, really.  You are relying on a third party, who claims the
relationship... Nothing more.  So relying parties to assertions from unknown
IDPs beware.

=peterd  ( http://xri.net/=peterd )



More information about the yadis mailing list