[OpenID] Trust + Security @ OpenID

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Mon Jul 16 09:29:57 UTC 2007


Hi Dimitry,

I think your effort is nice which also shows once again how badly such a 
(good working) solution is needed. However I have a few suggestions to make:

First of all, I believe that a list of IDPs which conform to a certain 
standard and criteria is way more effective then a black list of rough 
IDPs for reasons we all know.

Second, there needs to be a defined policy and criteria  and not 
"/Identifiers issued by http://www.jkg.in/openid/ will definitely be 
there/". Or in other words, what makes an IDP worthy to be used  by 
default for 99% of the relying parties? How do we protect OpenID, its 
RPs and effectively also all other end users...?

Third, OpenID isn't yet adopted widely, but already there are various 
black and white lists and other efforts cruising around....well, welcome 
to the world of SMTP (a protocol designed in the 80's)! Wouldn't it be 
better to create one combined effort by the community with clear 
policies and definitions? I'm not saying that your efforts are useless, 
but isn't this the wrong direction? Is this the result of the 
unwillingness of the OpenID leaders (notably the people listed here: 
http://openid.net/wiki/index.php/OpenID_Foundation/Board ) to address it?

-- 
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Jabber:      startcom at startcom.org
Phone:       +1.213.341.0390

Dmitry Shechtman wrote:
>
> Errr...isn't this supposed to be a "white list server"? I mean, are 
> you having a black list of "bad" IDPs or are you registering "good" 
> IDPs in this list?
>
>  
>
> Although the term isn’t really important, I believe this should be a 
> black list (i.e. all are “good” by default) of identifiers (i.e. 
> “good” OPs may have issued “bad” identifiers, see the getopenid.com case).
>
>  
>
> Whatever the choice, under which criteria are you listing either one 
> on your list?
>
> Various heuristics will be used for blacklisting. Identifiers issued 
> by http://www.jkg.in/openid/ will definitely be there...
>
>  
>
>  
>
> Regards,
>
> Dmitry
>
> =damnian
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070716/23f7a2b9/attachment-0002.htm>


More information about the general mailing list