[OpenID] openid query

Paul Madsen paulmadsen at rogers.com
Fri Feb 29 12:40:29 UTC 2008 

Hi Eddy, I agree completely. As yet the OpenID community has not defined 
standards for the OP practices etc that would normalize assurance, and 
thereby make real trust scaleable.

As it stands, PAPE  (like SAML AuthnContext) is merely informational. 
Unless interpreted within some relationship with the OP (not necessarily 
direct), an RP will look at a PAPE statement and say 'Well that's nice 
but why should I believe it'.

I hope that when the OpenID community does tackle this (any or all of 
assurance levels, assessment, & certification, etc), it searches for 
prior art. :-)

paul

Eddy Nigg (StartCom Ltd.) wrote:
> Paul Madsen wrote:
>>
>> An X.509 RP has the same desires as an OpenID RP, ie that they can be 
>> confident that the authority's (either CA or OP) 
>> practices/procedures/technologies provide sufficient assurance for 
>> the application being accessed.
> Exactly! And what do we know about this? What do we know about 
> "practices/procedures/technologies" in the OpenID world?
>
> As an OpenID RP I can't make a decision about each and every OP, not 
> to mention that I've never seen any OP which has policy governing its 
> operations. Nor have I ever seen a third party attestation confirming 
> any policy or practice statement either. Hence, in the OpenID world, 
> any trust (if there is such a thing at all) is based on pure 
> assumptions....nothing more. Neither does SSL between the OP and RP 
> solve this problem, it solves a different one (eavesdropping). In 
> relation to that, I guess any OP not using https shouldn't even be 
> considered by a RP really.
>
> In order to solve the problem mentioned above I suggested in the past 
> to form a federated group of providers which operates according to a 
> certain standard and verifies them in some form.
>
> -- 
> Regards 
>  
> Signer:  	Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
> Jabber:  	startcom at startcom.org <xmpp:startcom at startcom.org>
> Blog:  	Join the Revolution! <http://blog.startcom.org>
> Phone:  	+1.213.341.0390
>  
>
> ------------------------------------------------------------------------
>
> No virus found in this incoming message.
> Checked by AVG Free Edition. 
> Version: 7.5.516 / Virus Database: 269.21.1/1302 - Release Date: 27/02/2008 4:34 PM
>   

-- 
Paul Madsen             e:paulmadsen @ ntt-at.com
NTT                     p:613-482-0432
                        m:613-282-8647
                        aim:PaulMdsn5
                        web:connectid.blogspot.com

More information about the general mailing list