Why do you think a "properly implemented" OpenID site should allow the user to u... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		jancona on July 15, 2011 \| parent \| context \| favorite \| on: Introducing BrowserID: A better way to sign in Why do you think a "properly implemented" OpenID site should allow the user to use any authentication provider? The relying party site is trusting the OpenID provider to authenticate its users. Wouldn't sites with real security requirements want to vet providers before trusting them?

js4all on July 15, 2011 [–]

Exactly right.

And all OpenID providers have different attribute exchange protocol extensions. If you use them, you can effectively allow only those you have tested.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact