|
|
Subscribe / Log in / New account

OpenID provider vs relying party

OpenID provider vs relying party

Posted Jun 24, 2008 18:51 UTC (Tue) by mmcgrath (guest, #44906)
In reply to: OpenID provider vs relying party by tialaramex
Parent article: FUDCon report from the Fedora Project Leader (Red Hat Magazine) 

> Setting up an OpenID _provider_ like this is very nearly useless. Fedora
> ought to be looking at becoming an OpenID relying party, not a provider.

I wouldn't say useless.  People like being able to, for example, make comments on livejournal
without needing an account.  Lots of bloggers (including myself) use livejournal.

As far as being a consumer, we're in an odd position there.  We have an OpenID plugin for our
wiki that we could enable right now, the problem is in our Contributor License Agreement.
Without having signed it, we can't accept someone's content... basically making an account with
us useless without the CLA.  I'm still looking into a couple of options but without something
like an agreement between our CLA and some other organization's CLA, Fedora's future as an
OpenID consumer is, unfortunately, limited.  We knew this was a possibility but made the
changes anyway and are hoping the Legal system can catch up :)

to post comments

OpenID provider vs relying party

Posted Aug 2, 2008 15:47 UTC (Sat) by tialaramex (subscriber, #21167) [Link] 

[This reply is a bit late coming, sorry]

OpenID doesn't forbid you from attaching some site-specific conditions to usage. I see that
the CLA process requires contributors to give you a telephone contact number and a home or
work address. You could easily also ask them to provide an OpenID at this point.

If someone signs into the site using an OpenID that doesn't have a CLA on file, you can send
them to information about joining Fedora. For existing members you can add an account page
which lets them add or remove an OpenID on their account, in the same way that they can
currently change their contact details or password.

If the CLA is taken very seriously (do you follow-up and check that every telephone number is
valid and contacts the person who filled out the form? that every address given is a
residential or office address and that the person lives or works there?) then you might want
to Whitelist OpenID providers based on their authentication policies, but in any case there is
no legal blocker to being a relying party. I hope you can make it happen.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds