[Dg-concordia] [Fwd: Re: Yahoo available AX attrs]

Paul Madsen paulmadsen at rogers.com
Tue Dec 8 16:28:48 EST 2009 

OpenID contemplates tackling attribute assurance (or at least taking a 
step down that road)

paul

-------- Original Message --------
Subject: 	Re: Yahoo available AX attrs
Date: 	Tue, 8 Dec 2009 10:59:42 -0800
From: 	Chris Messina <chris.messina at gmail.com>
To: 	Joseph A Holsten <joseph at josephholsten.com>
CC: 	openid-specs at lists.openid.net <openid-specs at lists.openid.net>
References: 	<C74317BF.1B018%atom at yahoo-inc.com> 
<374450F0-E497-4141-A024-338C4BD3C3D3 at josephholsten.com> 
<419E40647338514BBA4F8031282090AE1D5909E830 at VMBX107.ihostexchange.net> 
<1E510DF2-8FEA-44C1-8544-F9EFDDABA39F at josephholsten.com>



On Tue, Dec 8, 2009 at 10:18 AM, Joseph A Holsten 
<joseph at josephholsten.com <mailto:joseph at josephholsten.com>> wrote:

    I don't mean to troll. I just don't understand why RPs don't just
    trust the OP's word. Even if this is just a flag to show that
    Yahoo/JanRain/Google did the verification, aren't they going to have
    to ignore it when I send it from my OP of ill repute? If they're
    second guessing the OP based on verified-timestamp and
    i'm-the-postmaster-i-mean-it, that's at least something, though
    it'll still need a whitelist of OP that probably don't cheat.

    Am I nuts? Are RPs really saying they don't trust an email assertion
    from a whitelisted OP without a verified flag? Or that they aren't
    going to whitelist at all?


A better way to think about this is that an RP wants to know what kind 
of certainty or validity there is to the data being provided by the OP. 

If the OP allows the user to specify an email address without confirming 
it, the RP should know that — and then do their own confirmation if that 
email address is being used, say, for sending a receipt after a 
purchase, or for recovering an account if a user forgets their OpenID 
(which happens more than you'd imagine).

Thus if we ignore the "trust issue(s)", we begin to see that the 
"verified" attribute has more to do with setting expectations around the 
quality of the data being provided by the OP to the RP, giving the RP 
the ability to choose what business-logic-rules to apply to the data.

While it would be nice for RPs to implicitly trust OP's assertions, and 
many will, I think it's worthwhile to provide a mechanism for evaluating 
this data.

Chris
 
-- 
Chris Messina
Open Web Advocate

Personal: http://factoryjoe.com
Follow me on Twitter: http://twitter.com/chrismessina

Citizen Agency: http://citizenagency.com
Diso Project: http://diso-project.org
OpenID Foundation: http://openid.net

This email is:   [ ] shareable    [X] ask first   [ ] private

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/dg-concordia/attachments/20091208/5a53b55e/attachment.html 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Attached Message Part
Url: http://kantarainitiative.org/pipermail/dg-concordia/attachments/20091208/5a53b55e/attachment.pl

More information about the DG-Concordia mailing list