[OpenID] openid query

Fri Feb 29 14:39:31 UTC 2008

On Feb 29, 2008, at 2:55 PM, NISHITANI Masaki wrote:
> I think that is the very reason of the importance of reputation  
> services.
Yep, URL as a uniform 'person pointer' is the very core reason why I  
believe OpenID is cool and allows to build such services as reputation  
services that work on internet scale.

> The deference between the real world and the digital world is, in  
> digital world it is a short cake to spoof anybody else. In the real  
> world, you see the face of your friend, hear voices of your friend  
> and see the huge building of your bank, all are a sort of 'evidence'  
> of why you can trust them.

Sorting out the relation between real life and digital life is  
important, IMHO.
Some say that you can't take existing processes and conventions from  
real life and just 'digitize them', as technology is different and  
gives you enhanced possibilities that should be exploited to fully  
make use of it. This is what I agree on when building 'e-Estonia' in  
Estonia - it is stupid to take current bureaucratic processes and just  
mirror them in a digital form.

At the same time it is not logical any more to create technology  
solutions that don't take the users into account and don't mirror the  
real life but instead tries to create a closed world reality where  
'all the problems are solved' yet which doesn't match the real world.

Money these days is a great form of 'trust'. You 'trust' a piece of  
paper to be valuable, even though it has no real value itself. You can  
create a 'mathematical digital dollar' but it is just as good as a  
paper dollar - If I can't get a piece of gold for it, the value (or  
trust) of a dollar is as volatile as the global currency exchange  
dictates.

To know the value of a 'value pointer' such as money, you need markets  
that set the exchange rate. To know the trust in a 'trust pointer'  
such as OpenID, you need reputation services that give you the current  
trust level. If you don't trust money, you collect gold. You're free  
to love euros but reject Zimbabwe dollars. If you don't trust an  
OpenID, you just reject it.

>
> On the other hand, in digital world, digital signature can take the  
> place of such 'evidences'. It prove your friend is truly the person  
> who is your friend.
>
> But with digital signatures, there is always 'bootstrap problem'. In  
> other words, you cannot take any information about one you are just  
> making a relationship.
>
> Reputation service is a technology which will suit this place.  
> Instead of the huge building, you can choose your trustworthy  
> reputation service provider and refer the score of that bank online  
> (or it can be a phishing site. Who knows? The reputation service  
> might know).
>
> Reputation service is not only one or based on the government or big  
> business, but there can be many and can be based on any community.
>
> The community-based reputation service is a metaphor of the real  
> society, and based on the PKI technology as well.
>
>
> Martin Paljak:
>> A bit OT, but something I always want to say when there is a   
>> discussion about trust and technology.
>> IMHO trust is a very personal *decision* based on facts, not a fact  
>> by  itself. There is no universal "trust" that stems from technology.
>> In Estonia, when people say they don't trust the smart card  
>> technology  which the national eID is based upon or they don't  
>> trust the  government issuing them, I always reply with this:
>> "I believe it is OK to communicate using a technology you don't  
>> trust,  given to you by a party you don't trust, with a government  
>> you don't  trust anyway. If you lack trust in the first place, why  
>> bother if it  makes your life easier?"
>> I, for example, trust the technology behind smart cards. But I  
>> might  have issues with the government. And this zeros the final  
>> "trust  decision" made by me, no matter how good the technology  
>> might be.
>> For me, all technologies that imply some kind of universal built  
>> in  trust (like PKI) are therefore broken by design.
>> So instead of building a uniform trust model into OpenID, lets  
>> give  all parties (users, consumers, providers) means to make a  
>> good trust  *decision* based on different inputs. Like PAPE.
>> On Feb 29, 2008, at 11:29 AM, Nat Sakimura wrote:
>>> But what does it take to get a cert? Very little.
>>>
>>> That is why it does not solve the trust problem.
>>>
>>> (EV Certs are another initiative to solve this trust problem,   
>>> though. )
>>>
>>> Nat
>>>
>>> 2008/2/29, Vipin Rathor <v.rathor at gmail.com>:
>>>> hi,
>>>>
>>>>
>>>>
>>>>> This only solves the problem of eavesdropping, not trust.
>>>> I'm disagree with this. As per my understanding, the digital
>>>> certificate provides integrity, authentication and non-repudiation.
>>>> (http://en.wikipedia.org/wiki/Public_key_certificate). And with the
>>>> help of trusted third-party (CA), it provides trust relationships.
>>>>
>>>> Is there something with OpenID requirements, that I'm not getting?
>>>> Please help me out...
>>>>
>>>>
>>>> -- Rathor
>>>>
>>>> _______________________________________________
>>>> general mailing list
>>>> general at openid.net
>>>> http://openid.net/mailman/listinfo/general
>>>>
>>>
>>> -- 
>>> Nat Sakimura (=nat)
>>> http://www.sakimura.org/en/
>>> _______________________________________________
>>> general mailing list
>>> general at openid.net
>>> http://openid.net/mailman/listinfo/general
>

-- 
Martin Paljak
http://martin.paljak.pri.ee
+3725156495