[OpenID] Trust + Security @ OpenID
Eric Norman
ejnorman at doit.wisc.edu
Sun Jul 8 00:14:18 UTC 2007
On Jul 7, 2007, at 5:59 PM, Eddy Nigg (StartCom Ltd.) wrote:
> I want to concentrate on the third part, which doesn't mean, that
> what you said in the first two is less important. Just the third
> section interests me most ;-)
>
> OpenID is currently completely decentralized and no requirements are
> set by anybody (yet). When comparing to PKI, anyone can run his own
> "CA" in the OpenID world. Like Cardspace and self-run IDPs, they are
> effectively like self-signed certificates. A relying party can choose
> to trust them but nothing has been verified or guarantied in any form
> (not even the integrity of the authentication process).
Seems like a fairly accurate description to me.
> I suggested a while ago to form a body which would provide to relying
> parties a service of supervision of IDPs. This body could define the
> requirements of IDPs and the verification thereof, which would assure
> to RPs adherence to that defined standard to a great extend. I'd
> envision this body to be an open and free foundation. I'd have another
> few ideas about how such a body could function and look, and allow any
> sincere IDP to operate his server. RPs could then choose to require
> any IDP to be verified by that body and block all the others (not a
> MUST, but an OPTION). Obviously this would prevent the mess of
> managing black lists as it's happening with mail servers today or
> other measures!
It sounds like you want to re-invent policy OIDs
and their accoutrements.
Eric Norman
http://ejnorman.blogspot.com
More information about the general
mailing list