[fab] OpenID: an actually distributed identity system

Paul W. Frields stickster at gmail.com
Sat Sep 30 13:33:06 UTC 2006 

On Fri, 2006-09-29 at 23:12 -0400, seth vidal wrote:
> On Fri, 2006-09-29 at 19:47 -0700, Karsten Wade wrote:
> > On Wed, 2006-09-27 at 18:23 +0530, Rahul wrote:
> > 
> > > Its not the requirement of the CLA itself for the wiki that is a big 
> > > problem but the process. If it's just a click through method I suspect 
> > > we wouldnt have any complaints at all.
> > 
> > The requirement we are meeting with the GPG signing is to provide a
> > higher likelihood that the new account holder is actually who they say
> > they are.
> > 
> > No promises, but I bet a valid OpenID would suffice for the proof.  The
> > CLA could then be just a click-through.
> > 
> 
> from what I've read there's no cryptographic signature of any type with
> openid.
> 
> We might want to make sure that's valid for legal purposes.

I believe the OpenID 2.0 standard (now in draft) does include some
signature capability from the ID provider to the target site.  But Seth
is right, the point of OpenID is not to prove that you are who you say
you are -- it's to prove that you're the same person who a URL says you
are (i.e. the owner).

Unless we have a way of trusting the authentication mechanism of the ID
provider, that information is not as useful as a GPG signature could be.
But on the other hand, right now we don't even require a key to be
signed by a mutually trusted third party, so anyone can create an email
address and a key, and fraudulently sign the CLA.  So I would question
that OpenID is really a lower standard than what we have now.

-- 
Paul W. Frields, RHCE                          http://paul.frields.org/
  gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233  5906 ACDB C937 BD11 3717
       Fedora Project Board: http://fedoraproject.org/wiki/Board
    Fedora Docs Project:  http://fedoraproject.org/wiki/DocsProject
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-advisory-board/attachments/20060930/f924bccb/attachment.sig>

More information about the fedora-advisory-board mailing list