[BNM] OpenID (was Upcoming Registration)

[Dan Eastwell]

On 5/3/07, Jay Caines-Gooby <jay at gooby.org> wrote:
> On 5/3/07, Dan Eastwell <daneastwell at gmail.com> wrote:
> >
> > What I'm not clear on about OpenID, is if someone knows your openID
> > and you're logged in to your ID host on your openID delegate URL, can
> > they not just type your openID into any site and create new accounts
> > willy-nilly?
>
> Nope, because your OpenID provider service will still ask you whether
> to allow the new site you're trying to create an account for
> (essentially its asking you "Do you trust this new site"), and to do
> this you'll still need to enter your delegate password.
>
> You need to turn things on their head a little to get how OpenID works.
>
> By their very nature people *will* know your OpenID - for start it's
> publically available on your delegate server or designated URL. You
> can see mine in the <head> portion of http://jay.gooby.org
>
> Just because you know my openid, doesn't mean you can do anything with
> it. You don't know the password that only I and my openid provider
> know.
>
> Read Simon Willison's excellent introduction:
>
> http://simonwillison.net/2007/Jan/10/account/
>

Yes, I've looked at his site, but not seen that article, I think it
puts the whole 'authentication' thing in place.

Having had a little play using various browsers and sessions and
''pretending'' not to be me, I think I now understand how it works: if
someone uses your OpenID who is not you, they still get sent to your
delegate URL, which isn't a great deal of use unless you already are
logged in and in session on the the server/host, in which case you
will be able to accept or decline a request for open id authorisation
from another site, which hopefully, /you/ made.

I hope that's about right, as doubtlessly I'll have to explain this to
other people in the future...

Cheers,

Dan.