[OpenID] [security] Trust + Security @ OpenID

[Peter Williams]

I'm a blogger. I want to allow other commentators to add to my rant, logging in using their openid.I want to decide which openid providers I trust. I have no faith whatsoever in the decisions of google - my blogsite operator - on this score.

I'm a blogger....not an apache/iis admin skilled in IT.

How do we design for this? 

10000 bloggers, 10000 trust models during reliance. 10000 trust stores in iis/apache?

-----Original Message-----
From: "Eddy Nigg (StartCom Ltd.)" <eddy_nigg at startcom.org>
To: "Eric Norman" <ejnorman at doit.wisc.edu>
Cc: "OpenID List" <security at openid.net>; "OpenID List" <general at openid.net>
Sent: 7/21/07 7:04 AM
Subject: Re: [OpenID] [security]  Trust + Security @ OpenID

Apache web servers come many times with a CA bundle installed (mostly 
Linux distributions). This is usually a dump from the NSS (Mozilla) 
store. One can add easily more PEM encoded certificate to that bundle - 
all the ones you want to trust. Implementation can require valid 
certificates traceable back to a root in the CA bundle.

I don't know much about IIS (anymore), but I guess the same could be 
possible there, using the local machine store.

Eric Norman wrote:
> On Jul 20, 2007, at 8:30 AM, Johnathan Nightingale wrote:
>
>   
>> As Dmitry observes, the protection it offers is useless if there are 
>> http (i.e. non-SSL/TLS) links in the chain.
>>     
>
> True enough.  But there's more.  Many will argue that such
> protection is also useless unless the correct trust anchors
> (some folks call them "root" certificates) are deployed at
> the correct places.  This is far easier to say then accomplish.
>
> Eric Norman
> http://ejnorman.blogspot.com
>
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security
>   

-- 
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Jabber:      startcom at startcom.org
Phone:       +1.213.341.0390