[OpenID] Thinking About OpenID.com

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Thu Mar 20 17:19:56 UTC 2008 

+1

-- 
Regards 
 
Signer:  	Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber:  	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog:  	Join the Revolution! <http://blog.startcom.org>
Phone:  	+1.213.341.0390
 



Peter Williams:
> Point 6 is very subjective, judged using the following (subjective) 
> criteria.
>
>     10+ years of evidence has shown that consumers are unwilling or
>     unable to handle self-signed cert root key download events, being
>     unable or unwilling to evaluate the trust providers who
>     assurance underpin the delivery of SSL security services. This is
>     likely to extend to the world of https openids, a type of openid
>     that our trade association is apparently promoting as a "best
>     practice" (a material, legal event, note). Its not clear that
>     consumer will be suddenly be able to now determine which providers
>     are capable of providing anti-phishing protection.
>
> Point 7 is perhaps ill advised as a basic rationale for openid 
> adoption by RPs.
>
>     Relying parties are inevitably liable for the circumstances of
>     their act of reliance on any (security) assertion made by a third
>     party, says this non-lawyer. Having admitted an openid to be used
>     to impersonate a subscribed user, and upon relying upon a
>     UCI-grade OP's assertion, the RP will surely continue to have the
>     full panoply of legal obligations.
>
>     Assume for example,  that the RP (e.g. "plaxo") is operating in
>     the state of California. Assume also that the RP has account
>     linked one or more of a CONSUMER's openids to a single "plaxo"
>     for-fee account (that is subscribed to be in good standing), 
>     where we note that "plaxo" is in the normal,
>     _dominant_ business-to-consumer legal relationship with the
>     subscriber, as assessed under CA criteria. Assume now that the OP
>     involved in the account linking is just 1 of several UCI-grade OPs
>     bound by "plaxo" - upon one or more constructive acts of reliance
>     involving cert messages and openid auth messages -  to this and
>     other subscriber accounts. Assume furthermore that "plaxo" is
>     relying upon one or more OPs with whom it has no agreements
>     governing the act of reliance. Lets assert now that it is now
>     common public knowledge that a given OP has engaged in an improper
>     act, leading to the situation that there is a "high level of
>     risk"  that Personal data of a "plaxo" subscriber has been
>     compromised. We could ask Plaxo's general counsel to volunteer
>     legal advice on a hypothetical: would s/he now feel legally
>     obligated under CA law to issue n written letters by US post to
>     all "affected" _subscribers_, warning them of the generalized
>     exposure? If so, how would one enumerate those who are "affected"
>     in the case of UCI-grade openid?
>      
>
>  
>  
> ------------------------------------------------------------------------
> *From:* Chris Drake
> *Sent:* Thu 3/20/2008 3:34 AM
> *To:* Brendon J. Wilson
> *Cc:* general at openid.net
> *Subject:* Re: [OpenID] Thinking About OpenID.com
>
> Hi Brendon,
>
> Some more suggestions...
>
> 6) Security - when folks have their fave provider, they're less
>    vulnerable to phishing and password hijacking in other forms, not
>    to mention, the providers job is to improve in this area too,
>    freeing up the RP to ignore this stuff.
>
> 7) Legal responsibilities - probably not one that Providers are happy
>    with, but, it's not the RPs fault if a customer account is
>    plundered because of fault with the login system - freeing up the
>    RP from the legal liability/responsibility of that issue (eg: the
>    customer would sue the Provider, not the RP)
>
>    Liability is probably different depending on the TOS involved, and
>    the country of the customer and provider (and maybe RP) - some
>    jurisdictions have laws that forbid the disclaiming of various kinds
>    of liabilities.
>    
> Kind Regards,
> Chris Drake
>
>
> Thursday, March 20, 2008, 2:53:18 AM, you wrote:
>
> BJW> +1 Snorri's comment.
>
> BJW> I've been looking at OpenID for a client, and as I survey the OpenID
> BJW> landscape it's become apparent very quickly that there's lots of
> BJW> identity providers, but not a lot of relying parties. Any of the big
> BJW> players seem to be staying out of that space, with the exception of
> BJW> the blog platforms and open source CMS systems. Examples: AOL - only
> BJW> Propeller seems to have OpenID as a login option. Yahoo! - haven't
> BJW> found an OpenID login yet. All of the focus right now seems to be on
> BJW> getting people to get an OpenID.
>
> BJW> I think any discussion of how to evangelize OpenID to the general
> BJW> public also requires the foundation to clearly articulate the value of
> BJW> being a relying party, otherwise we risk stalled growth when users
> BJW> finally decide to get an OpenID, but have nowhere to use it. JanRain
> BJW> claims 8,000 relying parties, but I've seen little justification for
> BJW> that number; OpenIDDirectory.com lists about 530 or so OpenID-related
> BJW> sites, and 60 or so of them are identity providers. Demonstrating
> BJW> value to potential relaying parties also requires showing, in no
> BJW> uncertain terms, just how many people already use it.
>
> BJW> I'd like to propose the following strawman benefits of being a relying
> BJW> party for the group to eviscerate (warning: businesspeak ahead):
>
> BJW> 1) Expedited customer acquisition: OpenID allows user to quickly and
> BJW> easily complete the account creation process by eliminating entry of
> BJW> commonly requested fields (email address, sex, birthdate), thus  
> BJW> reducing the friction to adopt a new service.
>
> BJW> 2) Reduced user account management costs: The primary cost for most IT
> BJW> organizations is resetting forgotten authentication credentials. By
> BJW> reducing the number of credentials, a user is less likely to forget
> BJW> their credentials. By outsourcing the authentication process to a
> BJW> third-party, the relying party can avoid those costs entirely.
>
> BJW> 3) "Thought leadership": There is an inherent marketing value for an
> BJW> organization to associate itself activities that promote it as a
> BJW> thought leader. It provides an organization with the means to  
> BJW> distinguish itself from its competitors. This is your chance to  
> BJW> outpace your competitors.
>
> BJW> 4) Your competitors are already doing it: Whoops! So you missed out on
> BJW> number 4, so you have to do it, otherwise you're falling behind the
> BJW> times. Ketchup!
>
> BJW> 5) Simplified user experience: Logical follow on from 1 & 2. However,
> BJW> it's at the end of the list because that's not the business priority.
> BJW> The business priority is the benefit that results from a simplified
> BJW> user experience, not the simplified user experience itself.
>
> BJW> Thoughts?
>
> BJW> Brendon
> BJW> ---
> BJW> Brendon J. Wilson
> BJW> www.brendonwilson.com
> BJW> _______________________________________________
> BJW> general mailing list
> BJW> general at openid.net
> BJW> http://openid.net/mailman/listinfo/general
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080320/57fa99ce/attachment-0002.htm>

More information about the general mailing list