---- Original Message -----
From: "Marc A. Pelletier" marc@uberbox.org
On 02/22/2013 10:43 PM, Jay Ashworth wrote:
So, then, all OpenID guarantees is "this provider says it's the same person it was last time"?
The exact semantics is, IIRC, "that person has presented credential to us we accept as identifying them as our user $IDENTIFIER". Whether the client trusts that $IDENTIFIER is reasonably stable for their purposes, or that they trust our word, is their call.
I'm translating that as "yes". :-)
I've always looked with rather a jaundiced eye at OpenID, as it was sold as "you can run your own authenticator service", and that always struck me as "I am who I say I am", which is, obviously, pretty useless, in the general case. (Early examples showed login boxes where you *provided the URL of a random OID provider*; clearly, if the site doesn't trust said provider, the transaction is useless.)
Cheers, -- jra