[OpenID] openid query
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Fri Feb 29 12:32:14 UTC 2008
Paul Madsen wrote:
>
> An X.509 RP has the same desires as an OpenID RP, ie that they can be
> confident that the authority's (either CA or OP)
> practices/procedures/technologies provide sufficient assurance for the
> application being accessed.
Exactly! And what do we know about this? What do we know about
"practices/procedures/technologies" in the OpenID world?
As an OpenID RP I can't make a decision about each and every OP, not to
mention that I've never seen any OP which has policy governing its
operations. Nor have I ever seen a third party attestation confirming
any policy or practice statement either. Hence, in the OpenID world, any
trust (if there is such a thing at all) is based on pure
assumptions....nothing more. Neither does SSL between the OP and RP
solve this problem, it solves a different one (eavesdropping). In
relation to that, I guess any OP not using https shouldn't even be
considered by a RP really.
In order to solve the problem mentioned above I suggested in the past to
form a federated group of providers which operates according to a
certain standard and verifies them in some form.
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080229/59ed5ec6/attachment-0002.htm>
More information about the general
mailing list