[OpenID] What election?

Peter Williams pwilliams at rapattoni.com
Sun Dec 7 21:44:35 UTC 2008 

Since a committee is formally in charge of eligibility, is David's membership committee in charge of the list of root certs that the RP will accept as "assurers" of https-based openids?

Of course, little hinders the Foundation acting as registration authority for SSL root certs, for any registering OP. Its trivial config, and is easily automatable: any unrecognized server cert (or its root) is simply added to the "accepted" root list.

Similarly, little stops the Foundation issuing criteria - designating which (vendor's) CAs are acceptable for https OpenIDs - and then enforce that root registry criteria  (known in MSFT/Cisco-land as a CTL). That list could be defined in a vague fashion as ... the list of whichever PKI roots happen to be in the OS the Foundation's computers are using (this week). One can hope that in a load-balanced situation with multiple machines, all hosts have the same roots. But who knows!

Of course, if someone patches one of the hosts but not all, there may be less roots (and thus less acceptable OPs) the next day.

Given we know nothing of the security engineering or the operational assurances of the election site, we COULD be in the situation that an openid asserted to make a vote on voting day is acceptable upon presentation, but is NOT acceptable on the recount/validation (if only the OS was patched, meantime). Or in other variants of lack of auditable controls: the https openid is viable on user testing before voting day, but suddenly gets eliminated 1h before voting (much like typical election rigging scams, suddenly imposing reading tests for certain races).

Fun to see openid bite off elections/voting as showcase application!! It's a hard case. But, that's impressive, as a Board goal.

Nothing personal or imputed in all the examples, here! But do recognize that it's the _Normal_ process of challenging a voting security process, based on lack of (disdclosed) assurances.

Peter.

-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Scott Kveton
Sent: Sunday, December 07, 2008 2:14 PM
To: general at openid.net
Subject: Re: [OpenID] What election?

> Right. These questions are still not answered:
> 1. Is there a list of OpenID-s who are eligible to vote.

The membership committee would be best to answer that.  David?

More information about the general mailing list