[OpenID] Changes to the OpenID Foundation member page login

[Martin Paljak]

On 08.12.2008, at 4:27, SitG Admin wrote:

>> Is funny that OpenID bootstrapped itself on UCI - but will surely
>> now evolve into a very large web-scale control system. It will
>> probably rather more effective than the UK/US/Aus governments even
>> wanted the PKI vendors to enable for them (since openid runs at the
>> app layer, rather than behind a difficult to access network socket).
>
> As browsers, too, evolve, peer-to-peer PKI will become more
> accessible to the casual user. Whether they will actually know or
> care how to take advantage of it seems doubtful, though ;)


Uh. Do you think that the self-signed-cert battle that has been going  
on in Mozilla's dev-tech-crypto should be fought here as well?

As I ran into a problem of php-openid strangely failing when the  
"default" CA certificates package was missing on a Debian box, I  
noticed the inherent problem of PKI related trust being built into  
OpenID (which used to state clearly, that "trust requires identity  
first"). The problem is that most implementations do not care about  
the certificates being used in the process, expose no APIs to  
configure the process, and assume "we know what's best for you"  
solutions by vendors making the trust decisions for the users (by  
deciding which CA roots to distribute with their software packages).

So it seems justified that as OpenID uses PKI components and the  
different "trust" issues and models in OpenID terms are usually  
heavily discussed, PKI (which is considered broken in nature by many)  
issues get attention too. So that we would not build upon the status  
quo of current PKI implementations and be happy.

<irony>OR I'll insist that openid.net keeps a hierarchical registry of  
trusted openid providers (and RPs).</irony>


m.



-- 
Martin Paljak
http://martin.paljak.pri.ee
+372.515.6495