[OpenID] Verisign Seatbelt "vs" ClaimOP/RP -- OpenID not so openanymore?

Recordon, David drecordon at verisign.com
Tue May 29 23:11:08 UTC 2007 

Hey Boris,
I think there certainly is an understanding between OP's that phishing
is a definite concern when using the OpenID protocol, btw AOL has also
added support for VeriSign's SeatBelt.  I think what we've seen though
(as Brian and I talked about at Web 2.0 Expo
http://openid.net/pres/2007_Web2Expo_Implementing_OpenID.pdf) is
two-fold:

 1) The OpenID Authentication protocol itself shouldn't need to change
to address the phishing concerns, or at least it doesn't in the near
future.  Rather like SAML it can remain agnostic as to how the End User
authenticates to the OP and let extensions to the protocol handle richer
descriptions of requirements and what happened (as discussed in the
collaboration announcement around RSA
http://www.identityblog.com/?p=668).

 2) OpenID Providers are already starting to look at ways they can
protect their users from phishing by using authentication technologies
other than username and password.  While OpenID thrusts the phishing
issue into the lime-light, it is a larger problem on the web which
technologists are already looking at.  Options such as certificates
(whether they be through something like CardSpace or browser certs like
MyOpenID.com and Certifi.ca are doing) provide one means to help with
this problem.

As for openness around the Provider provisioning, we certainly are
wanting to look at using Yadis for OpenID Providers to mark up their
SeatBelt configuration.  The provisioning configuration markup evolved
very quickly, especially as we were working with JanRain and AOL, and it
was easiest to design it in a proprietary fashion.  With that said, I
don't see how this has any bearing to OpenID in general nor the open
community process that is used for specification development.

We're certainly working to have the SeatBelt up on Mozilla's Add-Ons
page and at that point will provide it for public download as well as
providing documentation with it.  Certainly not trying to do anything
closed, which I hope is shown by the fact that it isn't just limited to
VeriSign's OpenID Provider nor a set list of Providers, but rather any
Provider can add the configuration markup and work with the SeatBelt.

--David


-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Boris Erdmann
Sent: Tuesday, May 29, 2007 7:33 AM
To: general at openid.net
Subject: [OpenID] Verisign Seatbelt "vs" ClaimOP/RP -- OpenID not so
openanymore?

Now,

after investigating the topic a little further the facts seem to speak
for themselves:

a) Verisign developed an RP/OP discovery mechanism from exactly
     the same motives like I did with my ClaimOP proposal as part of
     their Seatbelt product (albeit more elaborate, I frankly admit).

b) With at least two very prominent followers of the OpenID community
     (Verisign and JanRain both actively support the Seatbelt approach)
     there seems to be some understanding between OP's that the base
     OpenID protocol is lacking when it comes to fighting phishing.


So this proves that my reasoning is quite valid:
Browsers need more signalling to get a grip on the protocol!


Now I wonder:

* Shouldn't a solution be discussed in the open?
* Am I completely off topic (please direct me to the right place)?
* Is all this to stay behind the scenes?
* Is nobody else interested?


Thanks
-- Boris
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list