Special Request: Client Certificates vs. OpenID

Recordon, David drecordon at verisign.com
Tue Jan 23 19:56:20 UTC 2007 

Alaric is certainly correct here, there is nothing stopping someone from
standing up an OpenID Provider which uses client side certs to
authenticate before continuing with the OpenID response.

--David 

-----Original Message-----
From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On
Behalf Of Alaric Dailey
Sent: Monday, January 22, 2007 11:02 AM
To: 'McGovern, James F (HTSC, IT)'; specs at openid.net
Subject: RE: Special Request: Client Certificates vs. OpenID

Client certificates could easily be used to extend openID, and since
(last time I checked) the authentication process was entirely up to the
IdP, a client certificate based IdP should be open to be created. 

Most CAs have created a problem because they only allow a user to use
their certs (mostly because CAs don't all follow the same persona
verification standards, and to a lesser degree politics). Now, over at
StartCom, Eddy has created a system where users are allowed to register
any certificate they like to login, very much like the USPS has done for
the "Electronic Post Mark".




> -----Original Message-----
> From: specs-bounces at openid.net
> [mailto:specs-bounces at openid.net] On Behalf Of McGovern, James F 
> (HTSC, IT)
> Sent: Monday, January 22, 2007 11:08 AM
> To: specs at openid.net
> Subject: Special Request: Client Certificates vs. OpenID
> 
> Last week I sent a note to the list inquiring whether anyone on this 
> list wanted to participate in our industry vertical standards body in 
> hopes of ratifying OpenID as an endorsed horizontal specification. In 
> terms of preparation, it would be greatly appreciated if Dick Hardt, 
> Johannes Ernst and other bloggers could from their blog discuss 
> user-centric identity as a potential solution to industry vertical 
> concerns since nothing neutral (produced by a vendor and not an 
> insurance carrier) exists in this regard.
> 
> Other industry verticals such as Pharmaceutical have embraced PKI 
> approaches where they issue client certificates to participants. Many 
> PKI vendors have in secret created user certificate management issues,

> the inability to allow for roaming users, sharing of desktops, and 
> other concerns that I am of the belief that user-centric approaches 
> could handle.
> Of course PKI-centric and user-centric don't have to be mutually 
> exclusive but it would be wonderful if the blog entry reflected how 
> approaches such as SAFE (pharma) would have looked in a user-centric 
> world.
> 

_______________________________________________
specs mailing list
specs at openid.net
http://openid.net/mailman/listinfo/specs

More information about the specs mailing list