[OpenID - Eu] Mission Statement

Andrew Tomlinson adt at cannontomlinsonbyrne.com
Fri Jun 1 18:01:29 UTC 2007 

This email got so long here is the summary...

No to Certification - it is too hard and will happen naturally when a 3rd
party company identifies the need and people buy it
Yes to Validation - a low barrier (automated self certification) for small
gain to provider ("OpenID verified" logo and listing in directory)

The long version...

There is room for commercial certification for commercial use of OpenID. I
imagine it will come from existing certification providers, and as Martin
points out will be equal strength to existing SSL certification. It is
important to note that the lack of meaning to end users of the premium SSL
certs (i.e. ones where the details have been verified to some degree)
doesn't stop people buying them and using them. It also doesn't stop end
users from using sites with self signed SSL certs.

Certification should be left to organisations with the capability to do
these checks and deal with disputes and breaches. It will be up to these 3rd
parties to make money out of it and to generate the trust through normal
business activity (and paying browser developers for trusted status when
browsers are OpenID aware...). I don't see how OpenID certification is any
different to SSL certificate claims - so why not use the same model.

I do think it is a good idea for lightweight access to a logo for marketing
purposes for IdP and RPs who self certify through some simple tests. This
gives a simple model for (legally) revoking access to it for rogue sites
while giving free access to it for everyone else. Defending use of your
trademark is also a requirement in some countries (IIRC) this might be
enough. Following a quick check on openid.net I couldn't find any clear
license for logo usage other than the spec which recommends the login box
insets the logo and the GNU FDL license. 

It isn't about trust it is about marketing and publicity - despite being
just a technology the OpenID community will have to deal with damage caused
by rogue implementations. I agree NCAP isn't really applicable for Model T
Fords. They still fitted them with brakes though...

I think I am mostly repeating myself so will stop now :)

Andrew

-----Original Message-----
From: eu-bounces at openid.net [mailto:eu-bounces at openid.net] On Behalf Of
Chris Obdam
Sent: 01 June 2007 16:08
To: Martin Paljak
Cc: Snorri; eu at openid.net
Subject: Re: [OpenID - Eu] Mission Statement

Martin,

I get your point. Seeing the reactions maybe my certification ideas  
are not realistic.

Does anybody see the goodness in the whole 'certification' idea. Or  
to put it in an other way: Providers can only become a member after  
they have passed the test.
What the test rules are can be defined later..

?

Greetings,

Chris - OpenID Holland


On 1-jun-2007, at 16:30, Martin Paljak wrote:

>
> On 01.06.2007, at 17:02, Chris Obdam wrote:
>
>> I wan't people to know that when a OpenID provider is member of the
>> OpenID Europe Organisation that that provider is safe.
>
> I still don't understand how the safeness of an OpenID provider  
> differs from the safeness of a random websites where you would be  
> using that OpenID. Or what kind of safeness should be assessed ?  
> Privacy ? Authentication security ? Data security ?
>
> Or how a NGO could approve the safeness of its members and why a  
> random person should buy that claim (Sounds like 'self signed  
> certificate')
>
> This would be as good as to have Euro NCAP (the thing that tests  
> new cars) be set on the car industry 100 years ago. The safety of  
> cars has been troublesome for a long time but with the rising  
> number of cars in europe and the higher assumed safety of cars  
> actually makes EuroNCAP useful and trusted because there is a need  
> and there is trust for them (they are hopefully somewhat  
> independent). We need millions of OpenID *consumers* and after that  
> we can work on the certification. It would be like having ultrasafe  
> cars in the world with no roads otherwise.
>
> What I'm trying to say is that trust and sense of safety is  
> actually pretty personal. I don't automatically 'buy' something  
> because it claims to be the best. If the need for such  
> certification arises, it shall be filled by an *independent* party.
>
> m.
> -- 
> Martin Paljak
> http://martin.paljak.pri.ee
>
_______________________________________________
eu mailing list
eu at openid.net
http://openid.net/mailman/listinfo/eu

More information about the eu mailing list