[OpenID] openid query

Paul Madsen paulmadsen at rogers.com
Fri Feb 29 11:56:00 UTC 2008 

'This is different as compared to secured web sites in PKI, where the 
visitor of a web site is the relying party'

the RP is the one that the user presents their cert to, ie. the one that 
has to choose whether or not to rely on it

An X.509 RP has the same desires as an OpenID RP, ie that they can be 
confident that the authority's (either CA or OP) 
practices/procedures/technologies provide sufficient assurance for the 
application being accessed.

paul

Eddy Nigg (StartCom Ltd.) wrote:
> Vipin Rathor wrote:
>>> This only solves the problem of eavesdropping, not trust.
>>>     
>> I'm disagree with this. As per my understanding, the digital
>> certificate provides integrity, authentication and non-repudiation.
>> (http://en.wikipedia.org/wiki/Public_key_certificate). And with the
>> help of trusted third-party (CA), it provides trust relationships.
>>
>> Is there something with OpenID requirements, that I'm not getting?
> Yes, please let me explain it and also answer other replies on the 
> subject.
>
> Who is the relying party (RP)?
>
> - In the case of OpenID the relying party is the web site which sets 
> up a facility to allow login with an OpenID. This is different as 
> compared to secured web sites in PKI, where the visitor of a web site 
> is the relying party. Therefore with OpenID the one relying on the 
> information received from the provider is the web site, not the user 
> and not the provider.
>
>
> What is it that we as the relying party want?
>
> - The RP wants to be assured, that
>
>     1.) The provider indeed authenticated the user according to a
>     certain established standard. In OpenID language this is what the
>     PAPE extension is for. PAPE allows the RP to request certain
>     authentication policies which the provider implements or not. (See
>     http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-01.html#anchor13
>     )
>
>     2.) That the operator operates his facility to a certain level of
>     accepted standard and security. That is, because if the operator
>     doesn't, the above assurances have no value altogether.
>
> What does SSL solve for the exchange of data between the provider, 
> user and the RP? Eavesdropping. Not much more, because the RP (which 
> is a web site after all) isn't going to validate who the operator is 
> (except in a white list scenario). The RP doesn't care really WHO he 
> is, but rather HOW he operates. Does this explains it?
>
>
> -- 
> Regards 
>  
> Signer:  	Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
> Jabber:  	startcom at startcom.org <xmpp:startcom at startcom.org>
> Blog:  	Join the Revolution! <http://blog.startcom.org>
> Phone:  	+1.213.341.0390
>  
>
> ------------------------------------------------------------------------
>
> No virus found in this incoming message.
> Checked by AVG Free Edition. 
> Version: 7.5.516 / Virus Database: 269.21.1/1302 - Release Date: 27/02/2008 4:34 PM
>   

-- 
Paul Madsen             e:paulmadsen @ ntt-at.com
NTT                     p:613-482-0432
                        m:613-282-8647
                        aim:PaulMdsn5
                        web:connectid.blogspot.com

More information about the general mailing list