OpenID contemplates tackling attribute assurance (or at least taking a step down that road) paul -------- Original Message -------- Subject: Re: Yahoo available AX attrs Date: Tue, 8 Dec 2009 10:59:42 -0800 From: Chris Messina <chris.messina@gmail.com> To: Joseph A Holsten <joseph@josephholsten.com> CC: openid-specs@lists.openid.net <openid-specs@lists.openid.net> References: <C74317BF.1B018%atom@yahoo-inc.com> <374450F0-E497-4141-A024-338C4BD3C3D3@josephholsten.com> <419E40647338514BBA4F8031282090AE1D5909E830@VMBX107.ihostexchange.net> <1E510DF2-8FEA-44C1-8544-F9EFDDABA39F@josephholsten.com> On Tue, Dec 8, 2009 at 10:18 AM, Joseph A Holsten <joseph@josephholsten.com <mailto:joseph@josephholsten.com>> wrote: I don't mean to troll. I just don't understand why RPs don't just trust the OP's word. Even if this is just a flag to show that Yahoo/JanRain/Google did the verification, aren't they going to have to ignore it when I send it from my OP of ill repute? If they're second guessing the OP based on verified-timestamp and i'm-the-postmaster-i-mean-it, that's at least something, though it'll still need a whitelist of OP that probably don't cheat. Am I nuts? Are RPs really saying they don't trust an email assertion from a whitelisted OP without a verified flag? Or that they aren't going to whitelist at all? A better way to think about this is that an RP wants to know what kind of certainty or validity there is to the data being provided by the OP. If the OP allows the user to specify an email address without confirming it, the RP should know that — and then do their own confirmation if that email address is being used, say, for sending a receipt after a purchase, or for recovering an account if a user forgets their OpenID (which happens more than you'd imagine). Thus if we ignore the "trust issue(s)", we begin to see that the "verified" attribute has more to do with setting expectations around the quality of the data being provided by the OP to the RP, giving the RP the ability to choose what business-logic-rules to apply to the data. While it would be nice for RPs to implicitly trust OP's assertions, and many will, I think it's worthwhile to provide a mechanism for evaluating this data. Chris -- Chris Messina Open Web Advocate Personal: http://factoryjoe.com Follow me on Twitter: http://twitter.com/chrismessina Citizen Agency: http://citizenagency.com Diso Project: http://diso-project.org OpenID Foundation: http://openid.net This email is: [ ] shareable [X] ask first [ ] private _______________________________________________ specs mailing list specs@lists.openid.net http://lists.openid.net/mailman/listinfo/openid-specs