[OpenID] Community Reputation Services

Thu May 22 17:53:07 UTC 2008

On 22-May-08, at 10:14 AM, Nate Klingenstein wrote:

> Dick,
>
>> I may have misinterpreted the discussion, but the OP reputation  
>> conversation seemed to be around wanting to know if the OP was  
>> spammy, is reliable etc. -> I think the email analogy works well  
>> there.
>
> Even after ORBS, Spamhaus, MAAWG, etc., we're still sitting at  
> 85-90% spam.  I'd like to do better than that.  Email is a major  
> attack vector too, particularly with spear phishing.  I truly hope  
> Cardspace takes off.  You wouldn't believe how many people must...  
> click... that... link...
>
> http://en.wikipedia.org/wiki/E-mail_spam#As_a_percentage_of_the_total_volume_of_e-mail
>
>> As for knowing there was strong authentication used at an OP by a  
>> user, I would propose that a claim made be a trusted strong auth  
>> vendor be requested by the RP.
>> To elaborate, any OP could acquire a strong auth solution from a  
>> certified vendor and then offer that service to its users. This  
>> separates the function of strong authentication from the function  
>> of being an OP.
>
> Why would the vendor or the authentication method be the only  
> important variable here?  I can issue plenty of certificates or one- 
> time passwords that are perfectly bogus using a variety of products  
> of your choice.
>
> I think the operational practices of the OP are much more  
> important.  In talking with various agencies and major RP's, they've  
> expressed a similar opinion.
>
>> Given the goal of creating an open infrastructure, I see OP  
>> reputation mechanisms to be problematic if for no other reason then  
>> it creates a closed environment of who can be an OP and you get all  
>> the issues you have today with certificate authorities.
>
> Yes, the UC System is a closed environment.  The set of accredited  
> universities is too.  They have the ability to confer degrees on  
> individuals and they purchase access to resources for their  
> members.  They have special attributes they use that they wouldn't  
> expect anyone else to understand anyway.  How do CA's or their  
> issues naturally follow?
>
> I'd like to be able to select my protocols based on what  
> applications support, not characteristics of a deployment paradigm.   
> I'd also like to be able to construct different policies for  
> different RP's, but use the same identity infrastructure to reduce  
> duplication.
>
> Do you consider OpenID an inappropriate protocol for these use  
> cases?  If so, I've learned something very important, and I'm really  
> glad I asked...

Ok. I think I see the disconnect now. (... but maybe not ;)

There is OpenID, the set of protocols, and an OpenID, and identifier.

Is an OpenID identifier appropriate for your use cases? I don't think  
so.

BUT, you could use the protocols to request and receive a claim from a  
trusted source saying something about the user. We (Sxip) demoed some  
code to do that, but to date, the OpenID community has been focussed  
on other requirements.

Perhaps a couple analogies may work. We can use IP to move traffic  
around between any site, and we use the same transport to create VPNs  
to move more secure, trusted traffic. We can use OpenID to solve the  
broader internet identity problems and then move trusted claims using  
the same protocol for more secure, trusted information flow.

>
>> OpenID reputation mechanisms are a completely different matter, as  
>> you are judging how an OpenID has been used.
>
> How is judging the OP completely different from judging the ID?  If  
> anything, wouldn't all ID's from an untrustworthy OP be considered  
> unreliable?

Which OP is managing an Identifier at a particular point in time  
should be irrelevant to the RP.

Let me know if this is resonating or not!

-- Dick

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080522/700f02ec/attachment-0002.htm>