[OpenID] My answers to the nominee questions

Peter Williams pwilliams at rapattoni.com
Sun Dec 14 14:43:10 UTC 2008


"OpenID only authenticates the OP, not the RP."




I'll read your mail properly, later. I suspect I can learn a lot.

But.. the above is just not true (in OpenID2)

The main thing that Yahoo! contributed to OpenID2 was the mechanism for a (careful) OP to authenticate the RP's namespace claims (before releasing the assertion)! This led to the whole notion of RP discovery, a formal process of authenticating the legitimacy of the RP's claim to the openid1-style realm.

Assuming part of that process involves recognizing the RP's SSL certs, the PKI/CTL issue - in a UCI environment - only got worse. Now every OP has to run a CTL, designating which RP's CAs it will recognize. As the UCI thesis in OpenID Culture (the whole multiple nyms concept) requires that any OP and RP can play without prior registration (and this had to hold for their choice of CA root keys too, since CAs are part of https), the goals of UCI and the goals of relying https rapidly come into conflict.





More information about the general mailing list