OpenID and Promiscuity

Yesterday, Paul Madsen posted a small comment regarding the OpenID plugin for MediaWiki.

The plugin, as it has been created, gives the ability for Relying Parties (in this case, the MediaWiki sites) to build OpenID whitelists and blacklists. For example, the Relying Party could choose to only accept OpenID identity URLs from idp.myvauthid.com, or choose to reject all OpenID identity URLs from Livejournal.

Paul poses that this sort of model is antithetical to the whole idea of OpenID – that a Relying Party is bound by best practices to accept any OpenID from any OpenID identity provider.

However, when it comes to security – especially with the implementation of the OpenID AQE – giving Relying Parties the ability to specifically trust, or more importantly the ability NOT to trust an ID provider is critical. In a completely decentralized authentication model, such as OpenID, there will be the need to block rogue ID providers – especially once comment spammers figure out how easy it would be to set up an OpenID ID provider that always confirms an identity without requiring authentication.

As OpenID grows beyond wikis and blogs and becomes an identity system used for handling more secure or transactional data, the need to be able to trust specific Identity Providers becomes key. Methods such as the MediaWiki plugin may break part of the original vision of the standard, but it does provide the gateway towards OpenID’s future.

3 thoughts on “OpenID and Promiscuity

  1. t shirt printing

    Thanks on your marvelous posting! I quite enjoyed reading it,
    you’re a great author.I will be sure to bookmark your blog and will often come back sometime soon. I want to encourage you to ultimately continue your great writing, have a nice afternoon!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>