[OpenID] openid query

NISHITANI Masaki m-nishitani at nri.co.jp
Fri Feb 29 12:55:59 UTC 2008 

Hello Martin.

I think that is the very reason of the importance of 
reputation services.

The deference between the real world and the digital world 
is, in digital world it is a short cake to spoof anybody 
else. In the real world, you see the face of your friend, 
hear voices of your friend and see the huge building of your 
bank, all are a sort of 'evidence' of why you can trust them.

On the other hand, in digital world, digital signature can 
take the place of such 'evidences'. It prove your friend is 
truly the person who is your friend.

But with digital signatures, there is always 'bootstrap 
problem'. In other words, you cannot take any information 
about one you are just making a relationship.

Reputation service is a technology which will suit this 
place. Instead of the huge building, you can choose your 
trustworthy reputation service provider and refer the score 
of that bank online (or it can be a phishing site. Who 
knows? The reputation service might know).

Reputation service is not only one or based on the 
government or big business, but there can be many and can be 
based on any community.

The community-based reputation service is a metaphor of the 
real society, and based on the PKI technology as well.


Martin Paljak:
> A bit OT, but something I always want to say when there is a  
> discussion about trust and technology.
> 
> IMHO trust is a very personal *decision* based on facts, not a fact by  
> itself. There is no universal "trust" that stems from technology.
> 
> In Estonia, when people say they don't trust the smart card technology  
> which the national eID is based upon or they don't trust the  
> government issuing them, I always reply with this:
> 
> "I believe it is OK to communicate using a technology you don't trust,  
> given to you by a party you don't trust, with a government you don't  
> trust anyway. If you lack trust in the first place, why bother if it  
> makes your life easier?"
> 
> I, for example, trust the technology behind smart cards. But I might  
> have issues with the government. And this zeros the final "trust  
> decision" made by me, no matter how good the technology might be.
> 
> For me, all technologies that imply some kind of universal built in  
> trust (like PKI) are therefore broken by design.
> 
> So instead of building a uniform trust model into OpenID, lets give  
> all parties (users, consumers, providers) means to make a good trust  
> *decision* based on different inputs. Like PAPE.
> 
> 
> 
> 
> On Feb 29, 2008, at 11:29 AM, Nat Sakimura wrote:
>> But what does it take to get a cert? Very little.
>>
>> That is why it does not solve the trust problem.
>>
>> (EV Certs are another initiative to solve this trust problem,  
>> though. )
>>
>> Nat
>>
>> 2008/2/29, Vipin Rathor <v.rathor at gmail.com>:
>>> hi,
>>>
>>>
>>>
>>>> This only solves the problem of eavesdropping, not trust.
>>> I'm disagree with this. As per my understanding, the digital
>>> certificate provides integrity, authentication and non-repudiation.
>>> (http://en.wikipedia.org/wiki/Public_key_certificate). And with the
>>> help of trusted third-party (CA), it provides trust relationships.
>>>
>>> Is there something with OpenID requirements, that I'm not getting?
>>> Please help me out...
>>>
>>>
>>> -- Rathor
>>>
>>> _______________________________________________
>>> general mailing list
>>> general at openid.net
>>> http://openid.net/mailman/listinfo/general
>>>
>>
>> -- 
>> Nat Sakimura (=nat)
>> http://www.sakimura.org/en/
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>

More information about the general mailing list