[OpenID] Trust + Security @ OpenID

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Mon Jul 16 11:14:24 UTC 2007 

Hi Dimitry,

Dmitry Shechtman wrote:
>
> I’ll have to disagree. E.g. although MyOpenID.com is generally known 
> as trustworthy (it even has client certificates), nothing would 
> prevent a spammer from manually registering an account with 
> MyOpenID.com to use it to automatically post everywhere.
>
That's correct, but my logic says:

1.) The IDP operates according to established rules (He's the trust 
anchor for the RP).
2.) The RP may require to have identities validated (according to 
current draft extensions which can be further extended).

Now, if I can trust the IDP, i.e. he has undergone some verification 
process and is known  to conform to a certain standard (which can 
include various different options, like A, B and C), the RP can request 
to have the IDP to be either A, B or C (or any combination thereof). 
Further the RP can require to have identities for example 1) not 
validated, 2) validated by friends (web-of-trust), 3) validated by a CA 
(different Class levels as well) and so on...

In that respect, the IDP makes a decision which services he wants to 
provide and the RP can make a decision, which requirements he wants to 
apply for the login facility. For example, the RP which operates "Super 
Cool Forum" may set his requirements very low (or no requirements at 
all), whereas a wiki for a closed group on future w3c standards wants to 
set its requirements high (validated identities, IDP verified and SSL 
secured, encrypted storage of data etc...).

Obviously an RP can't blame anybody if nobody post to the forum if he 
requires to have the IDP to be rigorous checked and the identities class 
3 CA validated ;-)
>
>  
>
> Second, there needs to be a defined policy and criteria  and not 
> "/Identifiers issued by http://www.jkg.in/openid/ will definitely be 
> there/". Or in other words, what makes an IDP worthy to be used  by 
> default for 99% of the relying parties? How do we protect OpenID, its 
> RPs and effectively also all other end users...?
>
> Well, if such a policy and/or criteria could be easily defined (and 
> widely adopted), there would be no need for a central black/white list.
>
Right! This is what I try to do...lets combine your effort and that of 
others and form a standard, policy and criteria which would fit all of us...
>
>  
>
> Third, OpenID isn't yet adopted widely, but already there are various 
> black and white lists and other efforts cruising around....
>
> Are there? In that case, I should stop working on mine.
>
1.) You have one...
2.) Here another one: http://simonwillison.net/2007/Jan/22/whitelisting/
3.) At http://openid.barnraiser.net/ they try to achieve this as well in 
a different way...

All of them posted within the last 48 hours to this list!
>
>  
>
> Wouldn't it be better to create one combined effort by the community 
> with clear policies and definitions? I'm not saying that your efforts 
> are useless, but isn't this the wrong direction? Is this the result of 
> the unwillingness of the OpenID leaders (notably the people listed 
> here: http://openid.net/wiki/index.php/OpenID_Foundation/Board ) to 
> address it?
>
> If you believe my efforts are going in the wrong direction, please by 
> all means elaborate on what you see as the right one. As I already 
> mentioned in previous discussions, I believe the OpenID Foundation 
> shouldn’t be in charge of a central black/white list. I completely 
> agree with the board’s (in)decision, as it helps keep OpenID as 
> decentralized as possible.
>
Personally I don't see a problem with it. I'd love to rely on an effort 
lead by the OpenID Foundation. Remember, it's the RP which makes the 
decision if to use it and which requirements he wants to have applied. 
In the same way however the community can start its own body for this 
purpose, which is fine with me too...I'm interested in the end result 
and willing to contribute to that end.

-- 
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Jabber:      startcom at startcom.org
Phone:       +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070716/e1cfe093/attachment-0002.htm>

More information about the general mailing list