[OpenID] Community Reputation Services

Nate Klingenstein ndk at internet2.edu
Thu May 22 17:14:41 UTC 2008 

Dick,

> I may have misinterpreted the discussion, but the OP reputation  
> conversation seemed to be around wanting to know if the OP was  
> spammy, is reliable etc. -> I think the email analogy works well  
> there.

Even after ORBS, Spamhaus, MAAWG, etc., we're still sitting at 85-90%  
spam.  I'd like to do better than that.  Email is a major attack  
vector too, particularly with spear phishing.  I truly hope Cardspace  
takes off.  You wouldn't believe how many people must... click...  
that... link...

http://en.wikipedia.org/wiki/E- 
mail_spam#As_a_percentage_of_the_total_volume_of_e-mail

> As for knowing there was strong authentication used at an OP by a  
> user, I would propose that a claim made be a trusted strong auth  
> vendor be requested by the RP.
> To elaborate, any OP could acquire a strong auth solution from a  
> certified vendor and then offer that service to its users. This  
> separates the function of strong authentication from the function  
> of being an OP.

Why would the vendor or the authentication method be the only  
important variable here?  I can issue plenty of certificates or one- 
time passwords that are perfectly bogus using a variety of products  
of your choice.

I think the operational practices of the OP are much more important.   
In talking with various agencies and major RP's, they've expressed a  
similar opinion.

> Given the goal of creating an open infrastructure, I see OP  
> reputation mechanisms to be problematic if for no other reason then  
> it creates a closed environment of who can be an OP and you get all  
> the issues you have today with certificate authorities.

Yes, the UC System is a closed environment.  The set of accredited  
universities is too.  They have the ability to confer degrees on  
individuals and they purchase access to resources for their members.   
They have special attributes they use that they wouldn't expect  
anyone else to understand anyway.  How do CA's or their issues  
naturally follow?

I'd like to be able to select my protocols based on what applications  
support, not characteristics of a deployment paradigm.  I'd also like  
to be able to construct different policies for different RP's, but  
use the same identity infrastructure to reduce duplication.

Do you consider OpenID an inappropriate protocol for these use  
cases?  If so, I've learned something very important, and I'm really  
glad I asked...

> OpenID reputation mechanisms are a completely different matter, as  
> you are judging how an OpenID has been used.

How is judging the OP completely different from judging the ID?  If  
anything, wouldn't all ID's from an untrustworthy OP be considered  
unreliable?

Take care,
Nate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080522/1e2a0e9e/attachment-0002.htm>

More information about the general mailing list