Wednesday, November 14, 2007

OpenID provider fitness

I'm adding OpenID support to a site i am working on, but came up with an interesting question.

Typically i have the username/password/email and email verification process. Alternatively you enter your OpenID.... but this is where i started to think. Do I limit the OpenID to trusted OpenID providers or do i just accept ANY OpenID? How do i know they haven't juset set up their own provider and how do i know whether the email is valid??

Do I request their email and ask them for yet another verification before they can use the site.... something that could get quite annoying overall.

Would be nice to have an online service which you can query every so often to check the "fitness" of providers so you can decide whether a provider is valid or not. Similar to the certificate lists you get in your browser. This could be managed and be very beneficial for the community i would have thought!? Anyone working on such a service?

If you are reading and have implemened an openid client on your site, how have you gotten round this?

No comments: