Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OpenID providers - what stops malicious providers?

So I like the OpenID idea. I support it on my site, and use it wherever it's possible (like here!). But I am not clear about one thing.

A site that supports OpenID basically accepts any OpenID provider out there, right? How does that work with sites that want to reduce bot-signups? What's to stop a malicious OpenID provider from setting up unlimited bot IDs automatically?

I have some ideas, and will post them as a possible answer, but I was wondering if anyone can see something obvious that I've missed?

like image 987
zigdon Avatar asked Sep 17 '08 18:09

zigdon


1 Answers

You have confused two different things - identification and authorization. Just because you know who somebody is, it doesn't mean you have to automatically give them permission to do anything. Simon Willison covers this nicely in An OpenID is not an account! More discussion on whitelisting is available in Social whitelisting with OpenID.

like image 139
Jim Avatar answered Sep 30 '22 14:09

Jim