Trust/threat model for OpenID
Peter Davis
peter.davis at neustar.biz
Fri Jul 28 18:36:23 UTC 2006
On 7/28/2006 2:08 PM, "Martin Atkins" <mart at degeneration.co.uk> wrote:
> Thomas Broyer wrote:
>> 2006/7/28, Timothy Parez:
>>> OpenID handles authentication, authorization is totally up to you.
>>
>> No, OpenID handles identification, not even authentication.
>>
>
> Well, sort of.
>
> You can't identify the particular person, but you *can* authenticate a
> token (the URL) representing that person. Unless something has gone
> wrong, no-one else should be able to claim that URL falsely.
>
> Of course, it's quite possible (trivial, in fact) for someone to set up
> an identity provider that just lets anyone authenticate... but dealing
> with that is more of an authorization problem than an authentication one.
Well, you are not authenticating the binding of the identifier with a user
agent, really. You are relying on a third party, who claims the
relationship... Nothing more. So relying parties to assertions from unknown
IDPs beware.
=peterd ( http://xri.net/=peterd )
More information about the yadis
mailing list