[OpenID] Rule of thumb

Recordon, David drecordon at verisign.com
Sat Jul 21 23:27:10 UTC 2007


One vital difference is that it isn't "four or five" vendors since in the SSL world there are few browsers used by many people.  In the OpenID world, there are already the equivalent of thousands of "vendors" where the vendor is the RP making the choice of who to trust.

--David

-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Peter Williams
Sent: Friday, July 13, 2007 1:55 PM
To: Eddy Nigg (StartCom Ltd.); Peter Williams
Cc: OpenID - General
Subject: Re: [OpenID] Rule of thumb

So lets carry forward the issue to openid, where we have more or less clean slate. We don't have any legacy trust or organzational practices, in OpenID. Or, do we?

Do we want to emulate the pki world, where four or five software vendors would set a criteria bar on op providers by default (and auto enforce it, with something equivalent of the https world's nasty, consumer unfriendly popups for the rest of the open world that can play, but only with the handicap ?

Lets now the test for the hardcase. 

I create an openid provider that accepts ssl client certs from cacert. It issues openid assertions, using signed-mac security mechanisms.

Are you advocating that now the the major RPs now refuse to accept that OP provider - because of its earlier association with the unacceptable cacert?

Hardcase 2.

If I use a cacert ssl session to protect the openid auth flow, are we saying agan : by default, reject BY DEFAULT (or accept with handicaps) on those grounds?

Are we saying that there will be a preferred world of certain op providers, much as there is a similar notion in the ca world?

If we go this route, openid will have the same adoption dynamics as pki, and the same meta trust model. There is nothing web2.0 about it. The fully decentralized ID system  with websso properties label will be a sham. Like pki in practice for the web, power would be entirely centralized ( and we can agree or not on what certain trade associations may or may not be doing, to influence the bars applied -almost uniformly by both the community-centric or business-policy making bodies.)


-----Original Message-----
From: "Eddy Nigg (StartCom Ltd.)" <eddy_nigg at startcom.org>
To: "Peter Williams" <pwilliams at rapattoni.com>
Cc: "John Wang" <jwanggroups at gmail.com>; "OpenID - General" <general at openid.net>
Sent: 7/13/07 1:19 PM
Subject: Re: [OpenID] Rule of thumb

Hi Peter,

I certainly don't want to start an off-topic flame war about CAcert, but 
your post below is pure nonsense!

I know most important people at CAcert (including its founder) and also 
the editors of the Mozilla CA policy (which was developed in a community 
driven process). Knowing both organizations, let me assure you that this 
has nothing to do with any conspiracy, but with very sound policy 
decisions by Mozilla which CAcert chooses not to meet. Additionally the 
web-of-trust scheme has many problems if run in the way CAcert operates. 
Also CAcert has nothing - I repeat NOTHING - to do with "Open Source" 
whatsoever, but CAcert is a community operated web-of-trust scheme.

Mozilla mustn't risk itself or its users, but provide a clear path and 
policy for CAs which has to be met! This is the responsibility a 
software vendor, such as Mozilla, has to take. It's upon the CA to 
implement and meet the requirements.

Peter Williams wrote:
>
> CAcert Is not in a browser as one particular mega-CA trade association 
> turned CAcert into a kick ball. They inappropriately used their 
> influence to set the bar in the major browsers distribution so the 
> very “category of’ open-source’ trust model” being pursued by CAcert 
> is hindered - and can only fail to pass the bar. It’s shameful 
> position for Mozilla to take, tho. quite an understandable decision by 
> the likes of Apple, Opera and Microsoft and the phone companies (which 
> are businesses).
>

-- 
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Jabber:      startcom at startcom.org
Phone:       +1.213.341.0390
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general


More information about the general mailing list