[OpenID] openid query

Nat Sakimura sakimura at gmail.com
Sat Mar 1 06:04:21 UTC 2008 

Yes, definitely we would search for prior arts. Actually, this is not
only for OpenID. Many people suggested me to get in touch with you for
ORMS TC @ Oasis, and I was going to :-)

=nat

2008/2/29, Paul Madsen <paulmadsen at rogers.com>:
> Hi Eddy, I agree completely. As yet the OpenID community has not defined
>  standards for the OP practices etc that would normalize assurance, and
>  thereby make real trust scaleable.
>
>  As it stands, PAPE  (like SAML AuthnContext) is merely informational.
>  Unless interpreted within some relationship with the OP (not necessarily
>  direct), an RP will look at a PAPE statement and say 'Well that's nice
>  but why should I believe it'.
>
>  I hope that when the OpenID community does tackle this (any or all of
>  assurance levels, assessment, & certification, etc), it searches for
>  prior art. :-)
>
>
>  paul
>
>  Eddy Nigg (StartCom Ltd.) wrote:
>
> > Paul Madsen wrote:
>  >>
>  >> An X.509 RP has the same desires as an OpenID RP, ie that they can be
>  >> confident that the authority's (either CA or OP)
>  >> practices/procedures/technologies provide sufficient assurance for
>  >> the application being accessed.
>  > Exactly! And what do we know about this? What do we know about
>  > "practices/procedures/technologies" in the OpenID world?
>  >
>  > As an OpenID RP I can't make a decision about each and every OP, not
>  > to mention that I've never seen any OP which has policy governing its
>  > operations. Nor have I ever seen a third party attestation confirming
>  > any policy or practice statement either. Hence, in the OpenID world,
>  > any trust (if there is such a thing at all) is based on pure
>  > assumptions....nothing more. Neither does SSL between the OP and RP
>  > solve this problem, it solves a different one (eavesdropping). In
>  > relation to that, I guess any OP not using https shouldn't even be
>  > considered by a RP really.
>  >
>  > In order to solve the problem mentioned above I suggested in the past
>  > to form a federated group of providers which operates according to a
>  > certain standard and verifies them in some form.
>  >
>  > --
>  > Regards
>  >
>
> > Signer:       Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
>
> > Jabber:       startcom at startcom.org <xmpp:startcom at startcom.org>
>  > Blog:         Join the Revolution! <http://blog.startcom.org>
>
> > Phone:        +1.213.341.0390
>  >
>  >
>
> > ------------------------------------------------------------------------
>  >
>  > No virus found in this incoming message.
>  > Checked by AVG Free Edition.
>  > Version: 7.5.516 / Virus Database: 269.21.1/1302 - Release Date: 27/02/2008 4:34 PM
>  >
>
>  --
>  Paul Madsen             e:paulmadsen @ ntt-at.com
>  NTT                     p:613-482-0432
>                         m:613-282-8647
>                         aim:PaulMdsn5
>                         web:connectid.blogspot.com
>
>  _______________________________________________
>  general mailing list
>  general at openid.net
>  http://openid.net/mailman/listinfo/general
>


-- 
Nat Sakimura (=nat)
http://www.sakimura.org/en/

More information about the general mailing list