Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||
A look at OpenIDA look at OpenIDPosted Oct 5, 2006 9:59 UTC (Thu) by robster (subscriber, #4849)Parent article: A look at OpenID
Since OpenID identities can be anonymous, this will allow for anonymous, but authenticated, users; one can verify that the identity wrote a particular message without making a connection to the real life person behind it. This property is called pseudonymity. The Wikipedia article explains some of the motivation why this is useful. To provide trust is another interesting problem; perhaps this could be implemented by using some kind of signed certificate declaring the real person details of associated with the url. This would make OpenID useful for systems that require a greater level of trust (LWN?).
(Log in to post comments)
A look at OpenID Posted Oct 5, 2006 17:13 UTC (Thu) by iabervon (subscriber, #722) [Link] Trust is actually too vague a concept to implement in this sort of system. It should be possible for a URL to list the certificates it has, in case somebody cares, but there are no issuing authorities which everybody should trust about anything, which implies that the system cannot automatically use any certificates (as least, without special configuration).
LWN could certainly use OpenID as it is, in any case, by simply allowing users to optionally have an OpenID (hosted elsewhere) which grants access to the site. This is no less or more secure or trustworthy than the current scheme of having a password. If anything, this allows LWN to trust users slightly more, because it could verify that the mingo here (for example) is able to use the identity that the mingo on kernel.org claims to control, and therefore, if the mingo on kernel.org does something interesting, whatever the local mingo says about it is authoritative (at worst, it is written by an authorized ghostwriter).
The thing that OpenID is lacking, in my opinion, is a way for relying sites to submit transactions of standard types to the authorizing site (which presumably checks them with the user outside the scope of the system) for certification. That is, there is no way for LWN to prove to me that it verified the ID of the client which posted a comment as being that of the mingo on kernel.org; I have to decide whether LWN can be trusted to do this particular check to my satisfaction, rather than getting proof that the purported well-known author is satisfied.
Problems with trust Posted Oct 6, 2006 15:17 UTC (Fri) by copsewood (subscriber, #199) [Link] Trust is a very difficult thing to automate in a decentralised manner other than in very narrow contexts. Consider the kind of trust questions an identity user site might be interested in:
a. Can this user be trusted to interact accountably and responsibly with children under the age of 16 ?
b. Can this person be trusted to order goods on-line to be delivered to the home address on the bank card used to a value of less than $100 ?
c. Can this entity be trusted to deliver an email to my inbox which will not waste a couple of seconds of my limited lifespan ?
d. Can this person identified by an organisation I have a support contract with be trusted not to have any conflict of interest through operating the root account on my supported server in connection with support access they have recently had to confidential data of specified competitors in my industry ?
e. Can this person be trusted as being a recent line manager within the organisation identifying him or her of a job applicant to provide a reference as their recent line manager ?
These trust relevant questions are so different in their requirements that I think each would require entirely seperate protocols. Having a common protocol that authenticates the players' identities is only the first step.
|
|||||||||||