[OpenID] Several Questions for the Current & Future Board

Peter Williams pwilliams at rapattoni.com
Wed Dec 17 19:54:42 UTC 2008 

I can tell certain things from the language used and attitude's shown (this skill simply comes to one after a while, as a sideeffect of being involved in (crypto) assurance/audit business).

Folks passing audits - as a means of willing showcasing good faith - eventually learn to find "joy" in meeting the transparency rules, even during an on demand, no notice inspection. It's like the joy any book-keeper has in showing that the double entry books are balanced - and decimal perfect. The controls are in place, and are resilient - it what they are showing. "One doesn't need notice." Monty  Python folk (who failed to become accountants) never learned this joy, and could only express frustration about the apparent meaningless and senselessness of the accounting/audit profession (expressed in their comedy).

One of the common reactions to the audit obligation is one or more expressions of frustration. First it's a waste of time. Second it hinders business. Third, its not affordable. Fourth, doesn't it impute wrong doing?

No. No. No. and No. It supports scaling - when the number of reliance acts invoked by a billion relying parties means that line by line, or on demand audits just don't scale. We cannot all do onsite inspections. The need for assurance becomes a matter of testing the "control regimes", instead of the books. As we all know, it's still easy to corrupt the auditor, fool the auditor, and be a corrupt or incompetent auditor.

Once one gets passed adoption of bit formats and protocols doing authentication for public networks, the usual next challenge for a community addressing I&A is assurance - whose evil twin is audit.

If one can get over the hump and learn to enjoy conformance with a control regime for the financial accounting, one will well prepared for the almost exactly the same thing in the accounting of crypto material (and other I&A materials). It's the same process in identity2.0 as accounting2.0; and it's the same joy. Unless you have been there, it is hard to grasp.

The next Foundation Board gets to decide whether it wishes for it/us to be competent in the assurance/ governance arena (and then the related legal space);  or it want to only essentially engage in software engineering.

Personally, I enjoy high assurance software engineering, which fits well with higher assurance authentication protocols,and higher assurance accountin of any other type. Getting joy from audits translates into getting joy from well engineered software/hardware. The controls seen in audit, have their analogue in higher quality engineering management controls, especially those required in high assurance security software.

I suspect the world is looking at openid, and wondering if it has what it takes to cross the threshold into providing assurance for public networks. (PGP failed to cross that line, as also failed the SSH community.) There are signals it can and it MIGHT. There are also attitude signals that suggest it will waiver and fall belong the line, as have many before it. It's will tempting to rationale the all-solving fixup to thiese hassles - that the "web as a movement" changes the paradigm, and thus old rules don't apply to us - the brave new world of openid and mashups in UCI. One will find, they do -as the audit/legal rules simply morph themselves to re-sync with the things they control.

> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Johannes Ernst
> Sent: Wednesday, December 17, 2008 10:27 AM
> To: OpenID List
> Subject: Re: [OpenID] Several Questions for the Current & Future Board
>
> On Dec 16, 2008, at 15:51, Dick Hardt wrote:
>
> > My point is that you are insinuating that the board was spending
> money
> > like drunken sailors ...
>
> I am not insinuating that at all. I couldn't insinuate even if I wanted
> to -- because I simply don't know because I have not seen sufficient
> information that allows me to tell whether that is true or not.
>
> To be clear, I do believe that everybody on the current board is
> basically honest and no bad things have happened. But they also said
> that about Enron. As board member of any organization, I don't believe
> one can live up to one's fiduciary responsibilities by simply believing
> everything is fine.
>
> The whole point is that a board needs to know what is going on,
> financially, on a regular basis. At every board meeting is the schedule
> that I'm familiar with, and that's what I've been advocating.
> But of course I'm repeating myself here ... and we are spending far
> more time arguing about this than it would take to have QuickBooks
> generate a BS, a P&L, and CF summary and e-mailing it out. Which is why
> I really don't understand that we even have this argument because it
> costs a lot more time and energy than doing the right thing in the
> first place.
>
> Cheers,
>
>
>
> Johannes.
>
>
>
>
>
>
> Johannes Ernst
> NetMesh Inc.

More information about the general mailing list