[OpenID] Thinking About OpenID.com

Peter Williams pwilliams at rapattoni.com
Sun Mar 23 17:07:21 UTC 2008 


I spent some time last night playing with the NetMesh LID service, trying to see how its use of public key controls supplements/augments/replaces control protocols and message flows used in OpenID2. What UniNett did in Mar07 (http://rnd.feide.no/node/36) for SAML1/SAML2/Shib/OpenID by making a multi-protocol PHP library, NetMesh seem to have done for OpenID/LID. 

As LID went into the original consensus in defining OpenID (whose designers reportedly decided against any use of public key control systems), one might consider the LID topic closed. 

At the same time, as OpenID2 goes beyond application to "authenticated blog comments" and now patently addresses general websso to corporate subsciption service like plaxo, pbwiki and Google Apps (via UniNett-style gateways), perhaps its time for a WG to revisit the LID (and other's) application of public key controls systems. Presumably, the goal would to ensure that the OP __controls__ the "intended recipient" of its assertions, addressing RP-proxying using classical "originator control (ORCON)" security policy enforcement techniques.



From: Nat Sakimura
Sent: Sun 3/23/2008 4:38 AM
To: Johannes Ernst
Cc: openid-general List
Subject: Re: [OpenID] Thinking About OpenID.com


Hi Johaness, 

Actually, that is part of the reason why we are bringing the notion of Public Key back into the place in our proposal of reputation service and trusted data exchange. For a serious business apps, I suppose we need this kind of structure. 

Let us disccuss them in the forthcoming WGs :-)

=nat


2008/3/22, Johannes Ernst <jernst+openid.net at netmesh.us>: 
On 2008/03/20, at 3:34, Chris Drake wrote:
> 7) Legal responsibilities - probably not one that Providers are happy
>   with, but, it's not the RPs fault if a customer account is
>   plundered because of fault with the login system - freeing up the
>   RP from the legal liability/responsibility of that issue (eg: the
>   customer would sue the Provider, not the RP)


Actually, no. The customer would sue both the RP and the OP, and the
RP would sue the OP -- at a minimum ;-) And one of the problems with
have with OpenID so far is that legal discovery would be very hard
because nobody could prove to anybody what they have done or not.

(This is one of the reasons why I originally picked GPG as the crypto
for LID instead of symmetric keys that we have in OpenID -- if the RP
keeps the incoming requests around, the RP can show them later in
legal discovery and say "see, nobody could have produced this
signature at the encoded time stamp other than somebody in the
possession of the private key, and that's not us, so we get to go home
free")

I continue to believe that we'll have to address this problem sooner
or later ... even if some people on this list seem to have some kind
of public-key phobia ;-)

Cheers,



Johannes.




Johannes Ernst
NetMesh Inc.



  
  http://netmesh.info/jernst


_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general






-- 
Nat Sakimura (=nat)
http://www.sakimura.org/en/ 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080323/0b126928/attachment-0001.htm>

More information about the general mailing list