This post originated from an RSS feed registered with Python Buzz by Phillip Pearson. Original Post: Decentralised federated ID usability - openid/sxip bookmarklet? Feed Title: Second p0st Feed URL: http://www.myelin.co.nz/post/rss.xml Feed Description: Tech notes and web hackery from the guy that brought you bzero, Python Community Server, the Blogging Ecosystem and the Internet Topic Exchange Latest Python Buzz Posts Latest Python Buzz Posts by Phillip Pearson Latest Posts From Second p0st

We're looking at decentralised/federated ID these days - because of course PeopleAggregator has to support everything. Yesterday as a 'getting to know sxip' experiment, I turned the NZ Coffee Review site into a sxip membersite. (So now you can enter your homesite and click sxip in, and have an account auto-created for you on the NZCR site - give it a go!).

One thing that strikes me about it is: how do you protect against dishonest sites and phishing? If I enter sxore.org and click 'sxip in', what guarantee do I have that I actually get sent to score.org? It would be cool if the identification process happened the other way around, i.e. I visit a site that I want to log in to, I click a bookmarklet which sends me to my ID provider, and I log in there, then the ID provider sends me back to the 'consumer' site. I'm required to trust my ID provider, but this way reduces the trust required of the consumer site.

Comment