> I believe the OpenID 2.0 standard (now in draft) does include some > signature capability from the ID provider to the target site. But Seth > is right, the point of OpenID is not to prove that you are who you say > you are -- it's to prove that you're the same person who a URL says you > are (i.e. the owner). > > Unless we have a way of trusting the authentication mechanism of the ID > provider, that information is not as useful as a GPG signature could be. > But on the other hand, right now we don't even require a key to be > signed by a mutually trusted third party, so anyone can create an email > address and a key, and fraudulently sign the CLA. So I would question > that OpenID is really a lower standard than what we have now. Maybe http://cacert.org/ could be added to the Fedora infrastructure to get more trust into who we add to Fedora? regards, Florian La Roche _______________________________________________ fedora-advisory-board mailing list fedora-advisory-board@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-advisory-board _______________________________________________ fedora-advisory-board-readonly mailing list fedora-advisory-board-readonly@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-advisory-board-readonly
