[OpenID] Rule of thumb

Peter Williams pwilliams at rapattoni.com
Sun Jul 22 01:29:52 UTC 2007


This vision of the world is fine, but its a little naive. Let me tell a short personal story. Its perhaps prediction, relying on the truth of history. 
 
I helped spend $50M dollars "augmenting" the VeriSign identity management service (in the cert era). We  - a third-party - built a reputation service, referring to cert providers and their certs, serving RPs only. In those days, it went by the name of a "Validation Authority". Its model was one of comingling the facts of suspension/revocation status info from the CRLs with contextual validation checks ordered on demand, by the RP. The added-value service was similar in concept and role to what VISA does when performing real time velocity checking and other risk management processes on the transaction flow, that the backend issuing/acquiring banks don't do when authorizing credit or merchant payment.
 
It is not professional or proper to tell all that went on, but I can say publicly: VeriSign - a CA/IDP - did not desire a world where it was dis-intermediated from the RP by a third party reputation/validation authority, particularly a third party co-mingling reputation data about several IDPs.
 
As some who earlier had helped design the original VeriSign/military trust model to fit with internet culture, there were some very good technical and business reasons for VeriSign doing what it did, and taking the posture it did. It had been my job to educate and warn the business leaders of what happens to the economic value of an IDP assertion, once an IDP is dis-intermediated. I was fortunate enough to get to test out my own theory, and see what economic countermeasures a powerful, well capitalized IDP can and may yet again bring to bear - to prevent that type of infrastructure ever occurring.
 
 
 
 
 
 
 
 
 
 
 

________________________________

From: general-bounces at openid.net on behalf of Recordon, David
Sent: Sat 7/21/2007 4:22 PM
To: Eric Norman; OpenID - General
Subject: Re: [OpenID] Rule of thumb



My view is just as we talk about one of the RP benefits to using OpenID
is that Providers will be experts in user management so that you as an
RP can focus on building your cool app, I think we'll also see
reputation and trust experts emerge as services.  Thus a RP will choose
one, or more, of them they wish to rely on when interacting with new
OpenIDs.  Just like there are many types of RBLs for email and an email
administrator chooses which one they'd like to use.

--David

-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Eric Norman
Sent: Friday, July 13, 2007 12:21 PM
To: OpenID - General
Subject: Re: [OpenID] Rule of thumb


On Jul 13, 2007, at 11:42 AM, Eddy Nigg (StartCom Ltd.) wrote:

> David from Verisign suggested, that "some" third party organizations
> will perform these services (as for example Webtrust does for CAs),
> however I'd certainly prefer that to be something which would come
> from the OpenID community itself. Or in other words, I think some of
> us should come together and found/operate this service.

Methinks there's an awful lot of RPs that would certainly
prefer not.  They would view this as the fox guarding the
henhouse, to use an old adage.

After all, they are the ones with something at risk.  So
they're not going to listen much if the OpenID community
starts telling them how to do their risk management.  And
rightly so.

Eric Norman
http://ejnorman.blogspot.com <http://ejnorman.blogspot.com/> 

_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general





More information about the general mailing list