[OpenID] openid query

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Fri Feb 29 11:44:27 UTC 2008 

Vipin Rathor wrote:
>> This only solves the problem of eavesdropping, not trust.
>>     
> I'm disagree with this. As per my understanding, the digital
> certificate provides integrity, authentication and non-repudiation.
> (http://en.wikipedia.org/wiki/Public_key_certificate). And with the
> help of trusted third-party (CA), it provides trust relationships.
>
> Is there something with OpenID requirements, that I'm not getting?
Yes, please let me explain it and also answer other replies on the subject.

Who is the relying party (RP)?

- In the case of OpenID the relying party is the web site which sets up 
a facility to allow login with an OpenID. This is different as compared 
to secured web sites in PKI, where the visitor of a web site is the 
relying party. Therefore with OpenID the one relying on the information 
received from the provider is the web site, not the user and not the 
provider.


What is it that we as the relying party want?

- The RP wants to be assured, that

    1.) The provider indeed authenticated the user according to a
    certain established standard. In OpenID language this is what the
    PAPE extension is for. PAPE allows the RP to request certain
    authentication policies which the provider implements or not. (See
    http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-01.html#anchor13
    )

    2.) That the operator operates his facility to a certain level of
    accepted standard and security. That is, because if the operator
    doesn't, the above assurances have no value altogether.

What does SSL solve for the exchange of data between the provider, user 
and the RP? Eavesdropping. Not much more, because the RP (which is a web 
site after all) isn't going to validate who the operator is (except in a 
white list scenario). The RP doesn't care really WHO he is, but rather 
HOW he operates. Does this explains it?


-- 
Regards 
 
Signer:  	Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber:  	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog:  	Join the Revolution! <http://blog.startcom.org>
Phone:  	+1.213.341.0390
 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080229/f5353d99/attachment-0002.htm>

More information about the general mailing list