LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

BrowserID: A new web authentication scheme

BrowserID: A new web authentication scheme

Posted Jul 29, 2011 2:38 UTC (Fri) by jamesh (guest, #1159)
Parent article: BrowserID: A new web authentication scheme

Your comparison of VEP to OpenID seems a bit off. Without outside knowledge, all an OpenID authentication handshake tells a site is that the user of a particular browser session owns a given URL, which is pretty much the same as VEP.

While you can transfer other user details with OpenID, those details are just self asserted. There is nothing in the protocol that allows the relying party to know whether to trust those values, so by default the values are no more trust worthy than if the user had typed them directly on the relying party site.

The only way people are currently adding trust to this model is if there is a trust relationship between a relying party and particular OpenID providers. For example, if you know that Google will never return an email address that it has not validated, then you may implicitly trust values from identities controlled by Google.

If BrowserID expands to handle additional user information, then it will have to deal with this too. They might have an easier time though, since they're already dealing with trusted third party assertions for the primary identifier.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds