Up till now the ongoing thread on the need (or even 'morality') of whitelists or blacklists for OpenID has been abstract for me. I've had an opinion but the issue didn't hit home in any personal way. That's all changed.
I'd like to not have to actively moderate comments for this blog (it takes up a solid 30 secs of my day). Theoretically, by requiring someone to authenticate with an OpenID in order to post a comment, I might be willing to allow such authenticated comments to be automatically published without my intervention.
Currently, Blogger gives me blunt control over accepting OpenIDs, it's on/off.
But, as a potential consumer of authentication assertions from various OPs, a consumer willing to base a 'business decision' (publish or not publish comment) on the authenticity of those assertions, should I not have the right to be selective about which OPs I choose to 'partner' with? After all, if a bad comment makes it through the filter, it's my own reputation that suffers (please, no snickers).
Maybe I wake-up one day on the wrong side of the bed and decide 'Damnation, today, I'm blacklisting SignOn.com!'. Or instead decide "Any OP that does 'pape.phishing-resistant' is good enough for me".
Isn't it my right as a relying party to decide who I rely on?
Are we allowed to associate reputation/assurance with an OpenID provider? Now you're just begging for a visitation from the conflation cops!
Post a Comment