[OpenID] Community Reputation Services

Dick Hardt dick at sxip.com
Thu May 22 16:17:44 UTC 2008 

Hi Nate

I may have misinterpreted the discussion, but the OP reputation  
conversation seemed to be around wanting to know if the OP was spammy,  
is reliable etc. -> I think the email analogy works well there.

As for knowing there was strong authentication used at an OP by a  
user, I would propose that a claim made be a trusted strong auth  
vendor be requested by the RP.
To elaborate, any OP could acquire a strong auth solution from a  
certified vendor and then offer that service to its users. This  
separates the function of strong authentication from the function of  
being an OP.

Given the goal of creating an open infrastructure, I see OP reputation  
mechanisms to be problematic if for no other reason then it creates a  
closed environment of who can be an OP and you get all the issues you  
have today with certificate authorities.

OpenID reputation mechanisms are a completely different matter, as you  
are judging how an OpenID has been used.

-- Dick


On 22-May-08, at 2:04 AM, Nate Klingenstein wrote:

> Dick,
>
> Most universities can't send out students' grades or other sensitive  
> information via email, as counsel and AACRAO judged it to be a  
> potential FERPA violation, sooo...
>
> That aside, it's still an interesting parallel, given that  
> historically universities have always provided email services for  
> every member of the organization.  Students have always been largely  
> free to forward their mail to whomever they want, or transcribe it  
> on their local bathroom stall.  That's been their choice.
>
> Some schools are now outsourcing email entirely, though.  In fact,  
> they sometimes do so using Shibboleth to leverage campus identities  
> for email as a service.  Is removing that choice by only operating  
> outsourced email fundamentally bad?
>
> Well, there are the FERPA risks and occasional subpoenas.  Public  
> universities often comply with open records laws, which impose  
> requirements on data retention.  Some people are worried about these  
> issues, and others think they're no problem.  They haven't been  
> tested in vitro yet.  Here's a recent article:
>
> http://www.insidehighered.com/news/2008/03/21/privacy
>
> It's a tough choice for a lot of schools.  However, email is -- or,  
> at least, it should be -- fundamentally different from identity.   
> Email is an application.  Federated identity plumbs many  
> applications with lots of different data about individuals.
>
> The quality of that data matters for some applications, particularly  
> the ones involving financial transactions.  If, for example, someone  
> sets up an open proxy in an IP-address based access control scheme,  
> the university's often the one that gets fined/sued.  Not fun, so  
> we'd like to do better than that.
>
> Check out university, bank, and corporate password reset policies,  
> for the ones that don't require some form of token.  You'll find  
> them to differ from what your average email provider does.
>
> Take care,
> Nate.
>
>> Curious how you determine the reputation of the email provider for  
>> your users.
>> Email contains very sensitive, private information and likely falls  
>> under the same privacy laws and FERPA.
>>
>> I don't see alot of difference between an OpenID Provider and an  
>> Email Provider.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080522/f7699248/attachment-0002.htm>

More information about the general mailing list