[OpenID] Reconsidering http://openiddifferent from https://openid

Peter Williams pwilliams at rapattoni.com
Thu Sep 20 20:24:22 UTC 2007 

We agree. The 80/20 rule is very effective at mass scale system. Its undeniable. Are you however willing to willing to risk the value of your home on today's openid assurances, as you convey it to op.sex.ru.xxx/naughtynaughty?
 
Email-based registration works very well, of course. It was the underpinnings of a million digital certs issued in 1995!!  And, as I read in some presentation the other day about OpenID, the gazillions of email-based registrations that ping your email account are ....just OpenID with a bad user interface.
 
Well that's the end of the story then, isn't it. Well its almost complete, but not quite.
 
A test of an RFC822 address's legitimacy is based on a (relatively) trusted resolution system - the SMTP email system.
 
If, like VeriSign services, the email ping is via SMS message to your phone, it again uses a very trusted resolution system: the SMS relay network. The trust is a function of a lot of trusted handoffs between lots of carrier networks using an interconnect backbone ...where Secure CMIP and key-interchanging servers guard the interchanges. This is of course core Neustar territory, as seen in their technical involvement and significant investment in XRI, SAML, and ENUM.
 
Yes, we collectively worked to add assurance to the web, via https+PKI, so fears similar to my housing jibe were moved - in the smaller risk category known as credit-card based e-commerce. And these days, its been extended to debit transactions, too!
 
And yes - the last 20% of the additional risk due to Internet moto& debit  transactions is not addressed by technical risk management, being far too expensive. Rather Its insured via wall street bond issues, actuarial practices, and the spreading of the risk of fraud widely. When we find a title company willing to add internet risk management to its writing of the title insurance when you transfer title of home, we may be able to use the same doctrine. To get from here to there, we need a few things. They are quite similar to the things https added to make e-commerce happen.
 
 
________________________________

From: Christopher St John [mailto:ckstjohn at gmail.com]
Sent: Thu 9/20/2007 12:16 PM
To: Peter Williams
Cc: Johnny Bufu; Jack; OpenID List
Subject: Re: [OpenID] Reconsidering http://openiddifferent from https://openid



> Neither the web nor DNS were designed to act as a secure
> name service (outside of milnet). Forcing the web/DNS itself
> to impose a consistent identitybased on its 80/20 design
> concept is unlikly to ever work well.
>

In practice, it works very well indeed, handling (imperfectly but
acceptably) many (most?) existing site registration and login
needs via the normal mapping of logins to "verifiable" email
addresses.

There are certainly many applications for which this is not
nearly good enough, but there are plenty of massively complex
general purpose industrial-grade systems out there to use
instead. They litter the landscape like the rusting hulks, I'm
sure it's possible to pick one up cheap without having to
build yet another one.

There's no shame in solving a common subset of a difficult
problem. It's a classic engineering technique to trade scope
for simplicity. I think it would be a shame to try to force
OpenID to become something it's not.

-cks

--
Christopher St. John
http://artofsystems.blogspot.com <http://artofsystems.blogspot.com/>

More information about the general mailing list