[OpenID] Verisign Seatbelt "vs" ClaimOP/RP -- OpenID not so openanymore?

Peter Williams pwilliams at rapattoni.com
Tue May 29 17:15:34 UTC 2007 

 
Is the domain name registrar that registers any portion of the user's URL/OpenId the party that "manages" the OpenID URL, or is only the party that engages in live OpenID protocol runs for that OpenID that "managing" party, or is the managing party the agency that (legally) controls issuance and use of a domain name used in a public URL/OpenID?
 
In audit speak, I'm asking:  are the security enforcement features of the OpenID protocol dependent on any registration authority or other naming authority that has been assigned the "management role"?
 
-------
 
On "managing" 
 
Help me with precise language use, please, in this community. 
 
In one commentary, manage is used precisely:
 
"OpenID <http://openid.net/>  [1 <https://webmail.rapattoni.com/exchange/pwilliams/Drafts/RE:%20[OpenID]%20Verisign%20Seatbelt%20%22vs%22%20ClaimOP_xF8FF_RP%20--%20OpenID%20not%20so%20openanymore_x003F_.EML/1_text.htm#1> ][2 <https://webmail.rapattoni.com/exchange/pwilliams/Drafts/RE:%20[OpenID]%20Verisign%20Seatbelt%20%22vs%22%20ClaimOP_xF8FF_RP%20--%20OpenID%20not%20so%20openanymore_x003F_.EML/1_text.htm#2> ] is a single sign-on system for the Internet which puts people in charge. OpenID is a user-centric technology which allows a person to have control over how their Identity is both managed and used online. By being decentralized there is no single server with which every OpenID-enabled service and every user must register. Rather, people make their own choice of OpenID Provider, the service that manages their OpenID."  [http://www.ariadne.ac.uk/issue51/powell-recordon/]
 
An 
 
1. "OpenID Provider" is a "service that manages [...] OpenID[s]"
 
Yet
 
2. "person [...] control[s] [...] how their Identity is both managed and used [...]"
 
I note a legalism here that may or may not be part of the technical design or the philosophy of the community:
 
3.  in OpenID's user centric model, real persons only "control" those others real persons that manage OpenIDs; the management acts are performed by parties known as "OpenID Providers".
 
 
The word "manages" has very specific and technical meaning in the VeriSign Certificate Practice Statement (CPS) - an indirect control framework based on ISO Registration Authority doctrine which would (legally) control the OpenID protocol run - if messages and signals pass over https. (Yes, that assertion assumes that one party is using and relying upon a VeriSign-issued certificate, or Extended Validation cert.)
-------------
 
On "phishing"
 
 
The interesting part  of the argument is whether https - used with VeriSign's new extended validation certs -would reasonably claim to provide "any" anti-phishing support to OpenID protocol, when OpenID sites engage in WebSSO or signal attribute requests/responses?
 
If so, what other components of anti-phishing countermeasures are missing ... if we claim as an axiom that the OpenID protocol relies upon https with VeriSign Extended Validation certs?
 

"Phishing and Online Fraud Undermine Customer Confidence


Phishing scams and online fraud have created doubt and concern among online shoppers. To regain their trust, site owners need an easy, reliable way to show customers that their transactions are secure and they are who they say they are. Security vendors and Internet browsers have combined forces to establish the Extended Validation Standard for SSL Certificates. " [http://www.verisign.com/ssl/ssl-information-center/ie7-ssl-security/index.html'


________________________________

From: general-bounces at openid.net on behalf of Boris Erdmann
Sent: Tue 5/29/2007 7:33 AM
To: general at openid.net
Subject: [OpenID] Verisign Seatbelt "vs" ClaimOP/RP -- OpenID not so openanymore?



Now,

after investigating the topic a little further the facts seem to speak
for themselves:

a) Verisign developed an RP/OP discovery mechanism from exactly
     the same motives like I did with my ClaimOP proposal as part of
     their Seatbelt product (albeit more elaborate, I frankly admit).

b) With at least two very prominent followers of the OpenID community
     (Verisign and JanRain both actively support the Seatbelt approach)
     there seems to be some understanding between OP's that the base
     OpenID protocol is lacking when it comes to fighting phishing.


So this proves that my reasoning is quite valid:
Browsers need more signalling to get a grip on
the protocol!


Now I wonder:

* Shouldn't a solution be discussed in the open?
* Am I completely off topic (please direct me to the right place)?
* Is all this to stay behind the scenes?
* Is nobody else interested?


Thanks
-- Boris
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list