OpenID 3.0

[McGovern, James F (HTSC, IT)]

> If it turns out that some particular feature absolutely can't be done 
> without making a new Authentication spec release then so be it, but 
> ideally I think we want 2.0 to be stable for many years to come to 
> avoid repeating all of the current pain of incompatible versions and 
> the poor user experience that creates.

This is noble to think this way but the odds of this becoming reality
are very slim. There are always new attack vectors and this protocol
needs to change to stay secure even if it breaks backward compatibility.

I think the issue of whitelisting not only belongs on the side of the
relying party but also allowing each user of OpenID to indicate
whitelists in terms of how they will want their OpenID leveraged. This
should be supported by the identity provider. This is more than simply
putting the user in the middle.

One of the scenarios that reputation would need to consider is the
security of all channels. For example, in my role I may deem that I will
only trust interactions that occurred 100% over SSL. If someone
specified an HTTP Open ID (e.g. http://james.myopenid.com/) and not
(https://james.moresecureopenid.com) then I can ignore the entire flow.
Reputation works only if there are certain trust cues of which things
such as EV SSL could be one.

As far as the LDAP thread, has anyone approached Microsoft regarding
turning Active Directory into an OpenID provider?



*************************************************************************
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*************************************************************************