Monday, March 30, 2009

Punctuation is Key

MyID.is Certified prepends some identity verification on OpenID-based authentication.

MyID.is also an OpenIDprovider, but a certified OpenID provider as we have previously certifed the Microformats embeded in your OpenID

The string 'Certified OpenID Provider' in the above can be interpreted in two different ways - distinguished by what gets certified.

MyID.is is a 'Provider of Certified OpenIDs' - this not the same as a 'Certified Provider of OpenIDs'. It's the OpenIDs that MyID.is issues that are certified, not MyID.is itself.

Consequently, any RP for which 'certified OpenIDs' is important will need to trust MYID.is's own claims as to the rigor of the verification process. But how will the RP know?

I'm sensing some more assurance math, something along the lines of 'the amount of assurance in the process that certified the OP must be greater than or equal to the amount of assurance in the process that certified the OpenID....'

Ultimately, MyID.is needs to be a 'Certified Provider of Certified OpenIDs'......


Separately, I do like the idea of a 'random fee as shared secret'


You will also need a credit card with the same namethat you are certifying. We will charge you only once a random certification fee between €2 and €5. Then you will have to check your bank statement and fill in on the MyID.is site the exact amount in Euro you’ve been charged.

Although actually checking the statement would make for a slow process.

No comments: