Paul Madsen has been having an ongoing dialog about an OpenID sign-in with Paul Toal and Pamela Dingle.
Paul's most recent post includes:
Consequently, having the user provide both the IDP through a drop-down list as well as an i-name would seem to provide only opportunity for confusion.
I would say that it's not just confusing but also more information that is necessary for that transaction (the purpose for which is to identify the IdP so that the user can be referred to the IdP to authenticate). You don't need the user's identity to do that -- all you need is the identity of the IdP.
Providing the full identity to the relying party is giving them a portion of what turns out to be your login credential in most cases -- something that most security people would say is a bad thing because if they wanted to hack into your account, they are now half-way there.
Even if you don't agree with the security argument (and I won't comment on your sanity), I can still fall back on the just-enough-information argument -- don't ask for or give more information than is necessary for the task at hand.
2 comments:
+1
well I think your argument is the same whether the user provides both an i-name (or more generally a personal URI) and selects their IDP from a list or merely provides their i-name on its own.
Paul 'confused as ever' Madsen
Post a Comment