[OpenID] Yahoo issue

[Peter Williams]

John Panzer wrote:
> I think you're downplaying the significance of comments.  A Yahoo user 
> can post an authoritative memo on a Blogger blog, in the form of a 
> comment, today.  This is equivalent to email providers interoperating, 
> though with far better authentication than email. 

 
If Blogger or Yahoo are using DNS membership or a test of IP connectivity as an indirect white-list to filter acceptable RPs (or acceptable OPs), we essentially have a form of ident, used (optionally) in SMTP since the year dot.dot.dot.dot. The right of a SMTP relay on a given IP address to submit mail to its peer on behalf of a given RFC822 id is based on the receicing party performing RFC822 address discovery - where the submitting host may be required by RP policy to have an ident server on a different port/connection willing to assert the SMTP-sender's submission/relaying right (ident = a discovered OP, making authorization assertions using the naming-authority security model).
 
Whether OPenid authenticating the assertions of an OP to Blogger today is better than ident authenticating the (right of a SMTP relay at a domain to submit/relay mail on behalf of a given RFC822 id) really depends on the quality of the association request/response phase, IF IT IS USED IN PRACTICE ON A GIVEN PROTOCOL RUN (remembering that formation and use of association channels are optional; null associations are allowed in openid). To compare apples with apples, on the ident side it would also depend obviously on whether the routers supporting the SMTP sites were applying an authenticated packet tunnel (Caneware/Blacker+IPSecurityLabels (historical), GRE/PPTP and L2P friends, modern VPNs over MPLS using ISAKMP/IPSEC).
 
But, I think this technology stuff all misses the real point which is about security policy. If one is claiming that the post of authenticated _comments_ is an good example of enforcing end-user accountability via openid, then why would an RP=Blogger not let the blog owner use Yahoo OP to post his/her own messages directly ? White listing OPs and insisting on associations over https using certain CAs is a perfectly acceptable RP policy. Ideally this would be published in extensions within the RP's signed XRD (that must be discovered in openid2). 
 
I mean, today, I can post message to my MSNSpaces blog from my phone's MMS/email account, based on me merely (as an "self OP") asserting a secret password sent in the clear over several SMTP relays! Surely we get openid to the same level of acceptability as "that" - to now _post_ first-party blog entries? 
 
Then we ask: if only third-party comments but not first-party posts can apply openid, WHY? what does that say about openid's assurance model?
 
Then we also ask: if white-listed OPs are being imposed by dominant RPs with business-based security policies demanding mininimal levels of assurance, is specifically the _UCI_ hypothesis at the heart of openid movement really holding?