[OpenID] Thinking About OpenID.com

[Johannes Ernst]

On 2008/03/20, at 3:34, Chris Drake wrote:
> 7) Legal responsibilities - probably not one that Providers are happy
>   with, but, it's not the RPs fault if a customer account is
>   plundered because of fault with the login system - freeing up the
>   RP from the legal liability/responsibility of that issue (eg: the
>   customer would sue the Provider, not the RP)

Actually, no. The customer would sue both the RP and the OP, and the  
RP would sue the OP -- at a minimum ;-) And one of the problems with  
have with OpenID so far is that legal discovery would be very hard  
because nobody could prove to anybody what they have done or not.

(This is one of the reasons why I originally picked GPG as the crypto  
for LID instead of symmetric keys that we have in OpenID -- if the RP  
keeps the incoming requests around, the RP can show them later in  
legal discovery and say "see, nobody could have produced this  
signature at the encoded time stamp other than somebody in the  
possession of the private key, and that's not us, so we get to go home  
free")

I continue to believe that we'll have to address this problem sooner  
or later ... even if some people on this list seem to have some kind  
of public-key phobia ;-)

Cheers,



Johannes.



Johannes Ernst
NetMesh Inc.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: openid-relying-party-anonymous.gif
Type: image/gif
Size: 903 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080321/c66d41d8/attachment-0004.gif>
-------------- next part --------------
  
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 977 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080321/c66d41d8/attachment-0005.gif>
-------------- next part --------------
  http://netmesh.info/jernst