Yesterday, Paul Madsen posted a small comment regarding the OpenID plugin for MediaWiki.
The plugin, as it has been created, gives the ability for Relying Parties (in this case, the MediaWiki sites) to build OpenID whitelists and blacklists. For example, the Relying Party could choose to only accept OpenID identity URLs from idp.myvauthid.com, or choose to reject all OpenID identity URLs from Livejournal.
Paul poses that this sort of model is antithetical to the whole idea of OpenID – that a Relying Party is bound by best practices to accept any OpenID from any OpenID identity provider.
However, when it comes to security – especially with the implementation of the OpenID AQE – giving Relying Parties the ability to specifically trust, or more importantly the ability NOT to trust an ID provider is critical. In a completely decentralized authentication model, such as OpenID, there will be the need to block rogue ID providers – especially once comment spammers figure out how easy it would be to set up an OpenID ID provider that always confirms an identity without requiring authentication.
As OpenID grows beyond wikis and blogs and becomes an identity system used for handling more secure or transactional data, the need to be able to trust specific Identity Providers becomes key. Methods such as the MediaWiki plugin may break part of the original vision of the standard, but it does provide the gateway towards OpenID’s future.
I agree that rogue providers force relyng parties to do extra work to authenticate users, which breaks the whole “lightweight” paradigm.