Thursday, December 21, 2006

Trust and OpenID #2

Avery Glasser writes of OpenID And Promiscuity:

As OpenID grows beyond wikis and blogs and becomes an identity system used for handling more secure or transactional data, the need to be able to trust specific Identity Providers becomes key. Methods such as the MediaWiki plugin may break part of the original vision of the standard, but it does provide the gateway towards OpenID’s future.

This just follows the train of thought I laid out in "Trust and OpenID" -- valuable transactions require security and trust across all parties.

When OpenID starts to solve those problems it can go through all the blood, sweat and tears that the folks at the Liberty Alliance and the OASIS SSTC did in coming up with a protocol that identified and closed many of the security vulnerabilities in such a system. Or they can adopt work that has been heavily reviewed and implemented which meets all of the needs that I have seen expressed and then some.

As I've stated earlier, even if there are some additions or profiles that are needed, I'm sure that the folks involved in SAML (where Liberty has converged their ID-FF work into) would be more than willing to explore meeting those needs.

The bottom line is that security is hard. There's no reason to go through that exercise yet again (unless you like pain).

Tags : / / / / / /

No comments: