[OpenID] [security] Trust + Security @ OpenID

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Sat Jul 21 22:41:09 UTC 2007 

Hi Eric,

Eric Norman wrote:
>
> Right.  Just about everyone already knows that.
>   
How do I know what everybody knows? ;-)
> But it's not relevant to the point.  One of the
> key phrases above is "correct places".
>   
Mhhh...
> Which of those 100 or so trust anchors should I
> delete? 
Mod them down to about 40 or so...
> Some folks will say "Start with all of 'em".
>   
Well, that's funny..."Some folks" don't trust CAs, but trust some home 
grown OpenID server run by haK0rz.ru to spill all their spam onto your 
forum...YEAH! I love it...please punch me somewhat harder...please...
> They're just self-asserted claims, fer Pete's sake!
>   
How do YOU know? I'm sure you have some concrete examples (not that all 
CAs do such a great job always....but still...)
>
> What can I do to include my notion of trustworthiness
> instead of having to rely on blind faith in some
> system programmer at Mozilla or wherever?
>   
You can invest a lot of time and work to include your notion or indeed 
trust in the work others are doing: 
http://www.mozilla.org/projects/security/certs/policy/
> That's part of the real problem.  For further commentary,
> I'll just refer you to what Peter Williams is saying.
> He seems to have his brain partly wrapped abound the
> problem (albeit maybe not the total solution).
>   
In general I agree with the statement from Peter...
> Especially this:
>
> On Jul 21, 2007, at 1:37 PM, Peter Williams wrote:
>  
>   
>> What we need now are  protocols hooks and UI concepts that implement 
>> these raw technologies in a fashion that consumers can manage – and 
>> thus impose their view of trustworthiness on the world – as they see 
>> it.
>>     
>
> I will assert one thing that you can take as "Gospel",
> if you so choose.  This is not a problem that technology
> can totally solve, but it can make a contribution.  
Well, the technology can't solve the trust problem, it can provide the 
protocol hooks, as Peter said...Perhaps due policies can help to provide 
the frameworks needed.


-- 
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Jabber:      startcom at startcom.org
Phone:       +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070722/225e997d/attachment-0002.htm>

More information about the general mailing list