[OpenID] Trust + Security @ OpenID

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Mon Jul 16 18:45:20 UTC 2007 

Summing up a little bit...

With all the discussion going on here and also off-list by various 
community members I come to the following conclusion for now:

1.) A third party body, which would perform various services for IDPs 
(and RPs) is generally welcome. This body shouldn't be controlled or 
founded by the OpenID Foundation, however members of the OpenID 
community might participate freely.

2.) Any sincere IDP should be able to register and advertise its service 
in a basic configuration with no strings attached. Any promises of the 
IDP such as SSL secured site, certificate login, smart card usage etc 
shall be verified and confirmed by the third party body. This includes 
identity/organization validation of the IDP itself as well.

3.) ID validation performed by the IDP itself or other third party 
confirmations such as from web-of-trusts and CAs is another aspect the 
body might confirm.

4.) Blacklists have obviously their drawbacks but might be needed under 
a certain conditions. It would be useful to include this service for 
RPs, specially in order to prevent spam on forums, blogs which most 
likely won't have many restrictions or conditions on the IDP.

An RP might set the level of requirements, for example:

Check Blacklist = Yes
IDP SSL secured = Yes

or

IDP SSL secured = Yes
Certificate Login = Yes
ID web-of-trust validated = Yes

or even

IDP SSL secured = Yes
IDP operator validated = Yes
ID CA validated (Class 2 or higher) = Yes
ID Smart Card = Yes

Or many other combinations...Any IDP can register and provide any of the 
options or none. The third party body confirms that the IDP in question 
has been checked/verified to provide the services in question according 
to a criteria the body has to setup. In addition, the body would 
organize and manage a blacklist.

Suggestions?

-- 
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Jabber:      startcom at startcom.org
Phone:       +1.213.341.0390

Scott Kveton wrote:
>> @Scott: You can support a centralized list of certified OpenID
>> servers, as long as it isn't part of the OpenID foundation? :-)
>>     
>
> Email has had this problem for years and the solution was the creation
> of real-time blackhole lists (RBL's).  I've used these for years and
> have been so thankful they exist.  However, they are not without their
> problems.  Liability and litigation have caused all sorts of problems
> for RBL's ... apply this to identity and the legal minefield gets that
> much more crowded.
>
> So, my stupidly long-winded response to your question is this; I'll
> personally use a centralized list of "trusted" (<- in quotes because
> its a fully-loaded word) OpenID providers if it exists but I don't
> believe that the OpenID Foundation should advocate, sponsor, implement
> or specifically support any one.
>
> - Scott
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070716/767579a3/attachment-0001.htm>

More information about the general mailing list