[OpenID] Boards/Foundation's use of openid, on authoritative websites

[Peter Williams]

Longer than 5 lines. Delete now, as appropriate.
 
-------
 
http://wiki.openid.net/Special:Contributions/Martin is assuredly OpenID enabled. And, that site has a RP-site-based account linking feature, in the model of SAML1.0. 
 
Soapbox: The product has an annoying websso feature though. Navigate to a page, perform login, and the page flow engine forces you to your own portal entry point (rather than...read the page you started at!). But, this is immature websso product design, not a fault of the protocol design.
 
Now, lets turn to the more pertinent assurance topic, that is surely brewing a storm fast:-
 
Under the UCI doctrine, any OP should be able to be used to post/upload contributions from identified persons to this relying party site. This includes that OP site in India that provides for bogus id, as a tech demo.
 
Is the Board secretary actually (legally) relying now on that formal site (and the OpenIDs managed by one or more OPs) to upload Board minutes (a relatively-sensitive PR issue)? Are the OPs allowed for that function limited in any way? Is OpenID specifically NOT used, perhaps, for that particular function? Are the usual legal semantic games being played (I'm a Board secretary one moment, but just a public person the next?)
 
I ask all this because, offline, some of us are having a conversation on how OpenID adoption will now proceed given endorsement by major brands with lots of brand-equity to lose, when the apparently "unlimited" unmanaged-ness of UCI starts to conflict with good practice (not "best" practice, note) in day-day business risk management.
 
Obviously, the Board's own use of the technology would be a good indicator to others applying OpenID-based websso - showing how risk, trust and assurance issues can be addressed with a "good" practice business framework that most folks operate under (unlike public companies who need to meet "best" practices, say).
 
If there is one additional set of disclosures I advise one makes, its discussion of the technical/operational policies that the Board and its internal/external auditors endorsed, when rleying on openid doctrine and practice, as it attempts to satisfy reasonable business practice (as it surely must, under Oregon law). We clearly have an IT system being used in the pursuit of Foundation interests, interacting with members and the public (e.g. me). If the operational director of the Foundation saw fit to impose policy limits concerning use of that system by Board members in their Board capacity, they should be disclosed as models that folks can see (and thus emulate). If that sounds like too much work, one can simply publish the setup config files of the wiki system, as a showcase of how to perform formal corporate risk management in the adoption of websso, as Oregon law surely obligates.

 
________________________________

From: general-bounces at openid.net on behalf of David Recordon
Sent: Sat 2/9/2008 2:31 PM
To: OpenID List
Cc: board at openid.net
Subject: [OpenID] Helping the Foundation Answer Everyone's Questions