[OpenID] Thinking About OpenID.com
Snorri
snorri at snorri.eu
Thu Mar 20 18:41:50 UTC 2008
The best would be to resume the “benefits for the RPs” in 10/12 short points with a Marketing/Business language but “neutral” = no subjective
ð http://www.openideurope.eu/openid/relying-party/
I would like to add:
- The possibility of having databases always updated (depends on the implementation) with the last information of end users, e.g.: My last address if I move
- Reduce deaths user accounts; Often users test only once a site but with his OP… he can remember that he had already an Return to this site
- +40% (French study) internet user close a site because there are a form, OpenID can increase the rate of transformation of a prospect to become a customer
Thoughts? (improve my words :)
Thank for your participation
-Snorri
De : general-bounces at openid.net [mailto:general-bounces at openid.net] De la part de Eddy Nigg (StartCom Ltd.)
Envoyé : jeudi 20 mars 2008 18:20
À : Peter Williams
Cc : general at openid.net
Objet : Re: [OpenID] Thinking About OpenID.com
+1
--
Regards
Signer:
Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber:
startcom at startcom.org
Blog:
Join the Revolution! <http://blog.startcom.org>
Phone:
+1.213.341.0390
Peter Williams:
Point 6 is very subjective, judged using the following (subjective) criteria.
10+ years of evidence has shown that consumers are unwilling or unable to handle self-signed cert root key download events, being unable or unwilling to evaluate the trust providers who assurance underpin the delivery of SSL security services. This is likely to extend to the world of https openids, a type of openid that our trade association is apparently promoting as a "best practice" (a material, legal event, note). Its not clear that consumer will be suddenly be able to now determine which providers are capable of providing anti-phishing protection.
Point 7 is perhaps ill advised as a basic rationale for openid adoption by RPs.
Relying parties are inevitably liable for the circumstances of their act of reliance on any (security) assertion made by a third party, says this non-lawyer. Having admitted an openid to be used to impersonate a subscribed user, and upon relying upon a UCI-grade OP's assertion, the RP will surely continue to have the full panoply of legal obligations.
Assume for example, that the RP (e.g. "plaxo") is operating in the state of California. Assume also that the RP has account linked one or more of a CONSUMER's openids to a single "plaxo" for-fee account (that is subscribed to be in good standing), where we note that "plaxo" is in the normal, _dominant_ business-to-consumer legal relationship with the subscriber, as assessed under CA criteria. Assume now that the OP involved in the account linking is just 1 of several UCI-grade OPs bound by "plaxo" - upon one or more constructive acts of reliance involving cert messages and openid auth messages - to this and other subscriber accounts. Assume furthermore that "plaxo" is relying upon one or more OPs with whom it has no agreements governing the act of reliance. Lets assert now that it is now common public knowledge that a given OP has engaged in an improper act, leading to the situation that there is a "high level of risk" that Personal data of a "plaxo" subscriber has been compromised. We could ask Plaxo's general counsel to volunteer legal advice on a hypothetical: would s/he now feel legally obligated under CA law to issue n written letters by US post to all "affected" _subscribers_, warning them of the generalized exposure? If so, how would one enumerate those who are "affected" in the case of UCI-grade openid?
_____
From: Chris Drake
Sent: Thu 3/20/2008 3:34 AM
To: Brendon J. Wilson
Cc: general at openid.net
Subject: Re: [OpenID] Thinking About OpenID.com
Hi Brendon,
Some more suggestions...
6) Security - when folks have their fave provider, they're less
vulnerable to phishing and password hijacking in other forms, not
to mention, the providers job is to improve in this area too,
freeing up the RP to ignore this stuff.
7) Legal responsibilities - probably not one that Providers are happy
with, but, it's not the RPs fault if a customer account is
plundered because of fault with the login system - freeing up the
RP from the legal liability/responsibility of that issue (eg: the
customer would sue the Provider, not the RP)
Liability is probably different depending on the TOS involved, and
the country of the customer and provider (and maybe RP) - some
jurisdictions have laws that forbid the disclaiming of various kinds
of liabilities.
Kind Regards,
Chris Drake
Thursday, March 20, 2008, 2:53:18 AM, you wrote:
BJW> +1 Snorri's comment.
BJW> I've been looking at OpenID for a client, and as I survey the OpenID
BJW> landscape it's become apparent very quickly that there's lots of
BJW> identity providers, but not a lot of relying parties. Any of the big
BJW> players seem to be staying out of that space, with the exception of
BJW> the blog platforms and open source CMS systems. Examples: AOL - only
BJW> Propeller seems to have OpenID as a login option. Yahoo! - haven't
BJW> found an OpenID login yet. All of the focus right now seems to be on
BJW> getting people to get an OpenID.
BJW> I think any discussion of how to evangelize OpenID to the general
BJW> public also requires the foundation to clearly articulate the value of
BJW> being a relying party, otherwise we risk stalled growth when users
BJW> finally decide to get an OpenID, but have nowhere to use it. JanRain
BJW> claims 8,000 relying parties, but I've seen little justification for
BJW> that number; OpenIDDirectory.com lists about 530 or so OpenID-related
BJW> sites, and 60 or so of them are identity providers. Demonstrating
BJW> value to potential relaying parties also requires showing, in no
BJW> uncertain terms, just how many people already use it.
BJW> I'd like to propose the following strawman benefits of being a relying
BJW> party for the group to eviscerate (warning: businesspeak ahead):
BJW> 1) Expedited customer acquisition: OpenID allows user to quickly and
BJW> easily complete the account creation process by eliminating entry of
BJW> commonly requested fields (email address, sex, birthdate), thus
BJW> reducing the friction to adopt a new service.
BJW> 2) Reduced user account management costs: The primary cost for most IT
BJW> organizations is resetting forgotten authentication credentials. By
BJW> reducing the number of credentials, a user is less likely to forget
BJW> their credentials. By outsourcing the authentication process to a
BJW> third-party, the relying party can avoid those costs entirely.
BJW> 3) "Thought leadership": There is an inherent marketing value for an
BJW> organization to associate itself activities that promote it as a
BJW> thought leader. It provides an organization with the means to
BJW> distinguish itself from its competitors. This is your chance to
BJW> outpace your competitors.
BJW> 4) Your competitors are already doing it: Whoops! So you missed out on
BJW> number 4, so you have to do it, otherwise you're falling behind the
BJW> times. Ketchup!
BJW> 5) Simplified user experience: Logical follow on from 1 & 2. However,
BJW> it's at the end of the list because that's not the business priority.
BJW> The business priority is the benefit that results from a simplified
BJW> user experience, not the simplified user experience itself.
BJW> Thoughts?
BJW> Brendon
BJW> ---
BJW> Brendon J. Wilson
BJW> www.brendonwilson.com
BJW> _______________________________________________
BJW> general mailing list
BJW> general at openid.net
BJW> http://openid.net/mailman/listinfo/general
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
_____
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080320/87c5234e/attachment-0002.htm>
More information about the general
mailing list