[OpenID] Thinking About OpenID.com

Johannes Ernst jernst+openid.net at netmesh.us
Sat Mar 22 07:01:11 UTC 2008 

Apologies, but I have no idea what you just said, neither  
syntactically nor semantically ;-)

On 2008/03/21, at 20:57, Peter Williams wrote:

> writer to reader crypto policy via public key crypto and cert-based  
> key distribution prevents dis-intermediation by RP proxies, allowing  
> ORCON (originator control) over the controls on the IDP to be  
> actually impacting the RP in question (not some proxy). This has  
> been well known since the early 70s, and was applied through the 80s  
> in secure phone and data networks. The advantage of trusted message  
> switchin , using symmetric crypto, is that it allows for  
> backtracking-based sp-initated flows, with dis-intermediation  
> "options" : plugins, call outs, choices, policy enforcements  
> determined and enforced by the distributed agents along the handoff  
> line (vs in the logic defined by a centralized PKI control system).  
> The war between the approaches of writer-to-reader vs trusted  
> messaging has been going on for 30 years, in military MHS design.
>
> On a different topic, I note that (https) home_pw.myopenid.com has  
> semantic annotations - using the vcard tags. is it your idea that  
> one or other AX provider would use that page as an authoritative  
> source of attributes, to be sent to RPs?
>
> _________________________
> Peter Williams
> Chief Information Security Officer
> Mobile (805) 416-6305
>
> From: Johannes Ernst
> Sent: Fri 3/21/2008 12:39 PM
> To: Chris Drake
> Cc: openid-general List
> Subject: Re: [OpenID] Thinking About OpenID.com
>
> On 2008/03/20, at 3:34, Chris Drake wrote:
> > 7) Legal responsibilities - probably not one that Providers are  
> happy
> >   with, but, it's not the RPs fault if a customer account is
> >   plundered because of fault with the login system - freeing up the
> >   RP from the legal liability/responsibility of that issue (eg: the
> >   customer would sue the Provider, not the RP)
>
> Actually, no. The customer would sue both the RP and the OP, and the
> RP would sue the OP -- at a minimum ;-) And one of the problems with
> have with OpenID so far is that legal discovery would be very hard
> because nobody could prove to anybody what they have done or not.
>
> (This is one of the reasons why I originally picked GPG as the crypto
> for LID instead of symmetric keys that we have in OpenID -- if the RP
> keeps the incoming requests around, the RP can show them later in
> legal discovery and say "see, nobody could have produced this
> signature at the encoded time stamp other than somebody in the
> possession of the private key, and that's not us, so we get to go home
> free")
>
> I continue to believe that we'll have to address this problem sooner
> or later ... even if some people on this list seem to have some kind
> of public-key phobia ;-)
>
> Cheers,
>
>
>
> Johannes.
>
>
>
> Johannes Ernst
> NetMesh Inc.
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080322/2f6716c0/attachment-0002.htm>

More information about the general mailing list