[fab] OpenID: an actually distributed identity system
Florian La Roche
laroche at redhat.com
Sun Oct 1 06:25:28 UTC 2006
> I believe the OpenID 2.0 standard (now in draft) does include some
> signature capability from the ID provider to the target site. But Seth
> is right, the point of OpenID is not to prove that you are who you say
> you are -- it's to prove that you're the same person who a URL says you
> are (i.e. the owner).
>
> Unless we have a way of trusting the authentication mechanism of the ID
> provider, that information is not as useful as a GPG signature could be.
> But on the other hand, right now we don't even require a key to be
> signed by a mutually trusted third party, so anyone can create an email
> address and a key, and fraudulently sign the CLA. So I would question
> that OpenID is really a lower standard than what we have now.
Maybe http://cacert.org/ could be added to the Fedora infrastructure
to get more trust into who we add to Fedora?
regards,
Florian La Roche
More information about the advisory-board
mailing list