Trust/threat model for OpenID

Peter Davis peter.davis at
Fri Jul 28 18:36:23 UTC 2006

On 7/28/2006 2:08 PM, "Martin Atkins" <mart at> wrote:

> Thomas Broyer wrote:
>> 2006/7/28, Timothy Parez:
>>> OpenID handles authentication, authorization is totally up to you.
>> No, OpenID handles identification, not even authentication.
> Well, sort of.
> You can't identify the particular person, but you *can* authenticate a
> token (the URL) representing that person. Unless something has gone
> wrong, no-one else should be able to claim that URL falsely.
> Of course, it's quite possible (trivial, in fact) for someone to set up
> an identity provider that just lets anyone authenticate... but dealing
> with that is more of an authorization problem than an authentication one.

Well, you are not authenticating the binding of the identifier with a user
agent, really.  You are relying on a third party, who claims the
relationship... Nothing more.  So relying parties to assertions from unknown
IDPs beware.

=peterd  ( )

More information about the yadis mailing list