[OpenID] openid query

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Fri Feb 29 21:19:33 UTC 2008 

Martin Paljak wrote:
>
> Do I trust the 50+ 'authorities' pre-selected by somebody else for me  
> in Firefox? I doubt it. Do I trust the OpenID providers I've chosen to  
> use? More likely.

So this is entirely off-topic (well, maybe it isn't), but it seems that 
you have no clue  about how CAs are admitted and governed in the Mozilla 
NSS store. Not only is the full process of inclusion of a CA performed 
publicly, a concrete set of policy [1] (and practices) control 
inclusions and included CAs. The CAs in NSS are not just "pre-selected 
by somebody" but each CA undergoes an not so easy process, some are 
rejected entirely or held up for inclusion until meeting certain 
requirements. Mozilla does provide a set of CAs included within their 
software on behalf of the user, because it's very inconvenient to read 
and understand of each CA its policies and attestations in order to make 
a decision.

OpenID providers don't have to undergo *any* vetting and don't have to 
adhere to *any* outlined requirements and policies whatsoever, so what 
you are saying here is absolute rubbish. Joe Candoall may be an OpenID 
provider but certainly not a CA included in NSS (or other software I 
guess). I suggest to be careful with such baseless and bold comparisons 
if you don't know about it...else please explain what is the basis of 
your trust in OpenID providers compared to the Mozilla included CAs, 
because what you are saying right now is that:

- I trust a provider which has his site hosted at some shared hosting 
provider somewhere
- I trust a provider which hasn't any policies and practices implemented
- I trust a provider which doesn't need to meet any requirements whatsoever
- I trust a provider which hasn't undergone any wetting by a third party
- I trust a provider which which doesn't have to take any responsibility
- I trust a provider which doesn't give me any guaranties nor insight 
about its authentication methods


- I don't trust a set of CAs which *must* meet declared requirements set 
forth by Mozilla...mmmhhh....


[1] http://www.mozilla.org/projects/security/certs/policy/

-- 
Regards 
 
Signer:  	Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber:  	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog:  	Join the Revolution! <http://blog.startcom.org>
Phone:  	+1.213.341.0390
 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080229/f9b1fd9d/attachment-0002.htm>

More information about the general mailing list