[OpenID] Changes to the OpenID Foundation member page login

Peter Williams pwilliams at rapattoni.com
Mon Dec 8 02:21:49 UTC 2008 

Well, I suspect agree on most things.

This election (given its pretty formal, under the legalities facing corporate officers) will set a standard for some time. We will see what the board secretary allows in practice on https-level assurances/requirements/obligations, in order to confer legitimacy on the result. I intend to compare how this is run to the web-based voting services many of my customers have used to years use for their committees. Hopefully, it will establish some legal precedents for applying websso, that they too can leverage as acceptable business practice.

Concerning your thoughts:

In general, any SP/consumer site that becomes a magnet for lots of folks using openids…to which other (mega) OPs have sent it authenticated customers and attributes (I mean users and their UCI data, sorry), will naturally want to turn around that data mine and become a provisioneer of openids in its own right. (If this was a MPLS and BGP forum, I’d be calling it a scalable ‘route reflector’!)

This is the crux of the SAML “SP affiliation” model, of course, where one SP acts as a naming/control authority for several other SPs – who are willing to take the primary SP’s lead when engaging in such as the “google-style persistent/per-realm naming pseudonyms” when dealing (uniformly, as a consortium) with the mega-OPs. Of course, the SPs in the affiliation can and will share (non-OP-copyrighted) attributes about the commonly named/authenticated entity, outside the (legal or DRM) controls of the IDPs/OPs.

Once Nat has his way (and its inevitable and late already), there will soon be a legal notice in the openid assertion (or in some “terms of service” bit format extensions) that places limits on authorized use and reliance of assertions, limiting reliance by downstream third parties without a binding and limiting contract with the OP/AX provider. It will soon prohibit such affiliate/repurposing behavior, as a way of enforcing through legal controls what technical controls cannot do (without running either a single, giant key management domain, or a centralized metadata repository.)

Is funny that OpenID bootstrapped itself on UCI - but will surely now evolve into a very large web-scale control system. It will probably rather more effective than the UK/US/Aus governments even wanted the PKI vendors to enable for them (since openid runs at the app layer, rather than behind a difficult to access network socket).

From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Eddy Nigg (StartCom Ltd.)
Sent: Sunday, December 07, 2008 6:31 PM
To: general at openid.net
Subject: Re: [OpenID] Changes to the OpenID Foundation member page login


On 12/08/2008 02:29 AM, Peter Williams:
Eddy:

Let’s get down and dirty, since https OpenIDs are part of the standard.

Yes, why not....because I haven't lost too much thought about it...


I don’t see how we can easily  wash our hands of PKI (much as I’d love to do so).

The questions below are actually interesting. Obviously I answered them for my own organization concerning being a relying party, but never thought about it in relation to the OpenID Foundation.




Would you counsel the secretary running the election to accept http (i.e. non-https) openids in the coming election?

No





If https openids are used by votering members, would you counsel that the rules should prevent those presumed voters from using the election site?


If https openids are used and acceptable under the election rules, would you counsel that the election site from accept any and all CAs supporting that https channel?



If proper https openids are used when exercising a voting right, would you counsel that the Foundation limit the CAs used in https openids to any particular list of CA service providers?

This actually lead me to the following suggestions:

A reasonable solution would be to combine the root lists of the most popular browsers and operating systems (e.g. Microsoft, Apple, Mozilla). And than I thought, how about OpenID Foundation members receiving an OpenID from openid.net? I mean, this could be exclusively for members only and could be used to solve the problems of

 1.  various login problems,
 2.  questions as the ones from above,
 3.  not favoring any OP, being truly THE OpenID provider (for members).

That could be really kewl ;-)


Regards



Signer:

Eddy Nigg, StartCom Ltd.<http://www.startcom.org>

Jabber:

startcom at startcom.org<xmpp:startcom at startcom.org>

Blog:

Join the Revolution!<http://blog.startcom.org>

Phone:

+1.213.341.0390




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081207/bca4bce3/attachment-0002.htm>

More information about the general mailing list