---- Original Message -----
From: "Marc A. Pelletier"
<marc(a)uberbox.org>
On 02/22/2013 10:43 PM, Jay Ashworth wrote:
So, then, all OpenID guarantees is "this
provider says it's the same
person it was last time"?
The exact semantics is, IIRC, "that person has presented credential to
us we accept as identifying them as our user $IDENTIFIER". Whether the
client trusts that $IDENTIFIER is reasonably stable for their
purposes, or that they trust our word, is their call.
I'm translating that as "yes". :-)
I've always looked with rather a jaundiced eye at OpenID, as it was sold
as "you can run your own authenticator service", and that always struck me
as "I am who I say I am", which is, obviously, pretty useless, in the
general case. (Early examples showed login boxes where you *provided
the URL of a random OID provider*; clearly, if the site doesn't trust
said provider, the transaction is useless.)
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra(a)baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates
http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA #natog +1 727 647 1274