[OpenID] [oauth] Re: [diso-project] Re: OpenID Accessibility
Ben Laurie
benl at google.com
Tue Nov 4 13:41:26 UTC 2008
On Tue, Nov 4, 2008 at 2:13 AM, Eddy Nigg (StartCom Ltd.)
<eddy_nigg at startcom.org> wrote:
> On 11/03/2008 12:54 PM, Ben Laurie:
>
> There are two cases. In one case, I just want to prove I'm the same
> guy as last time. In this case, a client cert without any further
> validation is fine. In fact, a self-signed cert is all that's needed,
> no requirement for a CA - in fact, this is exactly what a Cardspace
> self-issued card is.
>
>
> If you are fine with the first guy - whoever it might be, then yes.
>
> In the other case I want to prove I'm someone in particular (e.g. Ben
> Laurie, Google employee) - in this case I need to prove who I am in
> order to obtain the certificate. One way to do this is, as you say, to
> demonstrate ownership of an email address - and if everything works
> right, perhaps the email you send to "prove" that will not be
> intercepted en route.
>
> No, email validation hardly says anything about you - it only proves control
> over the email account, but not that you are Ben Laurie nor that you are a
> Google employee. One might assume, that if you've got a google.com email
> address, then well, you might be an employee at Google. But it's somewhat
> vague...
Well, make your mind up - it was you that brought up email validation
in the first place.
> Reminds me about some Google employee contacting me the other day with some
> inquiry or job offer ...and I thought it was a phishing attempt. The email
> wasn't signed nor any other indication which would let me clearly know, that
> this is somebody really working at Google. :S
What would they sign it with, or indicate with, that would convince you?
>
>
> Regards
>
> Signer: Eddy Nigg, StartCom Ltd.
> Jabber: startcom at startcom.org
> Blog: Join the Revolution!
> Phone: +1.213.341.0390
>
>
More information about the general
mailing list