Solution

Chris Drake christopher at pobox.com
Tue Oct 24 02:11:07 UTC 2006 

Hi Roland,

Fascinating ideas - good work.  Bad name though: PIP is the verisign
IdP http://pip.verisignlabs.com/

Kind Regards,
Chris Drake


Tuesday, October 24, 2006, 6:32:48 AM, you wrote:

RSum> Personal Internet Portal solution

RSum> I would like to propose the use of OpenId in the following way:

RSum> 1   end-point devices suffer from malware, so avoid the contact withthis malware
RSum> using server-based computing
RSum> 2   people want to store information to let them single
RSum> sign on, forexample using OpenId, to several sites, on a place
RSum> where nobody elsecan break in. I call this place PIP Personal
RSum> Internet Portal.
RSum> 3   this PIP uses directory services, like e-directory
RSum> from Novell, tostore this information, to allow
RSum> login with OpenId, or i-names, or biometrics.
RSum> 4 after login to their PIP people can execute  program´s
RSum> on the PIPserver, for example a browser, or a
RSum> home-banking-application, or theiroffice-program´s.
RSum> 5 the user can chose to use extern application service
RSum> providers, whichthey trust, for the moment being.
RSum> 6 After login with strong identification, or even
RSum> authentication (withbiometrics) the user can change the
RSum> temporarily trust list.


RSum> As for the use of OpenId,  I think this will make life easier.
RSum> kind regards,

RSum> Roland Sassen


RSum> Alaric Dailey wrote:
  
RSum> ok maybe I throw out my ideafor solving these problems.
  
RSum>  
  
RSum> 1.require SSL for any data transfer from IdP to RP (
RSum> assuming data isn'tgoing the other way)
  
RSum> 2.sign or encrypt the logon token (however or whereever it is stored)
  
RSum> 3.expire the logon after a certain period of time (  )
  
RSum> 4.require ssl for IdPs for logon pages etc...
  
RSum> 5.Heavily recommend that IdP's use
  
RSum>   DNSSec  Saltedpasswords with strong hashing algos (ie
RSum> NOT MD5 or SHA1)  lockeddown systems (patches, AV, firewalls,
RSum> etc)  

  
RSum>  
  
RSum> ThusRP's do not require an SSL cert, and data can be
RSum> trusted, and it couldbe proven that it has not been modified.
  
RSum>  
  
RSum>  
  




RSum> _______________________________________________general
RSum> mailing
RSum> listgeneral at openid.nethttp://openid.net/mailman/listinfo/general

More information about the general mailing list