[OpenID] Laws of id, openid with ssl

Peter Williams pwilliams at rapattoni.com
Fri Jan 25 17:40:11 UTC 2008 

Long email. Delete now! ...  if your tolerance is 5 lines.
 
As far as I can reasonably tell in my first bloc-centric exploration of cardspace  -- so as to better understand Sxip's cardspace+openid security model as it pertains to their openid2/infocard proposal --  having verified my claimed email address was well-formed during my act of enrollment for commenting rights, the blog site never actually sent me the confirmation email. It claimed it did send an email (using a typical web culture assertion whose veracity I largely discount), and thus possibly, and only possibly, "mis-represented". 
 
I read the privacy policy (asserted and protected by cardspace -- which I reasonably believe from hype, public disclosures and technical claims to be an "evaluated" security enforcing feature designed to satisfy certain internationally-accepted criteria used when evaluating security claims about products in certain environments). I regarded it - prototypically - as an offer to make a privacy agreement, legally. I therefore regard myself, under NV (Nevada, US) law, as having - prototypically - asserted a certain expectation of privacy - with associated -- prototypical -- legal obligations on both parties. As PPIDs are bilateral, I would not have expected there to be are any third party rights involved, or obligations owed (under UK law, say). In fact, this would have been a part of my real expectation of privacy: I would have specifically been expecting to except myself from presumptions about third party rights - novel legal constructions recently introduced into UK law hoping to address issues introduced by the web's/internet's open systems culture).
 
Ok. _Pretend_ legal pre-texting session about privacy in the UK/NV, over! Lets get back to technology's answers.
 
There could be various reasons for the email failure: (a) my domain is blacklisted, or not whitelisted  (b) my email id is blacklisted, or not whitelisted (c) the email was never sent (d) the email was never received (e) the email was filtered by an agent doing traffic analysis, somewhere (f) the blog site is broken, (g) its not supposed to actually work (h) the lawyers got to the blog operator or blog owner, to ensure no privacy agreements are executed finally (since its an expensive, ongoing responsibility, thereafter, under EC data protection regulations!) (i) I falsely recall clicking on the site button asking it to send the email.
 
(To be fair, given (i), I just did another attempted login: "Kim Cameron's Identity Weblog <http://www.identityblog.com/>  is sending you an email" is definitely asserted, not that any email from that weblog was received within 5 minutes. An optional redirect to an error page represented that the information card that I presented is not "valid" - which is plainly not true. Though the site's decision not to "rely" on its own determination of validity may have been reported , phrasing really ought not to represent that the card itself is "invalid" as an omnidirectional card beacon, which (unlike the directed-identity PPIDs used to communicate with the blob) are not _supposed_ to be RP specific and are therefore not subject to "reliance-doctrine concerning validity".
 
I'm left with an overall impression - an opinion I will now relate - specifically as it relate sto the issues raised by directed identity - our topic of the moment in this thread. The law in question (#4)  seems to be have articulated to rationalize what in part went wrong - during the non-adoption of Microsoft Passport. My experience with identityblog.com, inducing my second (**) impression formed about an actual cardspace-using IT system , leaves me with the feeling that the practical authenticated-comment scheme for weblogs that it exposes is similarly doomed - despite the obvious thought that went into formulating #4 law and other laws of identity (which are often referenced, in certain thoughtful communities). The delivery of a working identity system for weblog commenting - a system that is presumably exemplifying the laws  was far too painful to use, speaking as a user faced with a negative timeliness/useability experience! As a user, Im unable to distinguish between any cardspace failure and any blogsite failure: to me, they were presented as one and the same thing. At the end of the day, I could not login to get rights to leave a comment.
 
** The first impression, formed during an experiment to see how hotmail accounts could be augmented with a prototype, liveID infocard, was that the particular card enrollment UI was far too complex for any average user to succesfully and willingly navigate. Id believe that greater focus on better UI engineering could eventually solve that, tho.

 
________________________________

From: general-bounces at openid.net on behalf of Peter Williams
Sent: Thu 1/24/2008 8:10 PM
To: Drummond Reed; Martin Atkins
Cc: OpenID List
Subject: Re: [OpenID] Laws of id, openid with ssl




So I just went through a user experience, using a infocard (that sometime long ago I created during a liveID pilot) on identityblog.com.
...

Having logged on, guess what - it sent me an email so it would verify possession of the email claim. Then, I would supposedly have rights to leave a comment. 


_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list