On 10 Dec 2008, at 17:52, Brian Gilmore wrote:
>
> Surely the basic problem exists.
>
> If I have a users [log in to unmask] then I don't really have
> any trust that the next time I see *that* ID that it is actually the
> same user.
>
> Hence it still can't be used as part of a chain to deliver a higher
> value of trust that I would have put in that ID in the first place
No, OpenID _does_ prove that the bearer of a given URL has control
over, or 'owns' that URL, between logins. An OpenID of http://
spivs.x.y.z/bill.gates is a stable identifier, but certainly doesn't
prove that it _is_ owned by Bill Gates (but that's not the use-case
here). Of course this assumes that the identity provider adequately
authenticates the user and has reasonable policies around password and
service management. An RP can choose to white-list OPs that it is
assured does this, which is what Microsoft recently did with
HealthVault.
David
--
David Orrell
Identity Systems Architect
Eduserv Foundation
[log in to unmask]
Tel: +44 (0)1225 474309
|