A look at OpenID
Posted Oct 5, 2006 17:13 UTC (Thu) by iabervon
In reply to: A look at OpenID
Parent article: A look at OpenID
Trust is actually too vague a concept to implement in this sort of system. It should be possible for a URL to list the certificates it has, in case somebody cares, but there are no issuing authorities which everybody should trust about anything, which implies that the system cannot automatically use any certificates (as least, without special configuration).
LWN could certainly use OpenID as it is, in any case, by simply allowing users to optionally have an OpenID (hosted elsewhere) which grants access to the site. This is no less or more secure or trustworthy than the current scheme of having a password. If anything, this allows LWN to trust users slightly more, because it could verify that the mingo here (for example) is able to use the identity that the mingo on kernel.org claims to control, and therefore, if the mingo on kernel.org does something interesting, whatever the local mingo says about it is authoritative (at worst, it is written by an authorized ghostwriter).
The thing that OpenID is lacking, in my opinion, is a way for relying sites to submit transactions of standard types to the authorizing site (which presumably checks them with the user outside the scope of the system) for certification. That is, there is no way for LWN to prove to me that it verified the ID of the client which posted a comment as being that of the mingo on kernel.org; I have to decide whether LWN can be trusted to do this particular check to my satisfaction, rather than getting proof that the purported well-known author is satisfied.
to post comments)