[OpenID] ICANN - dotOpenID Has Found Its First Sponsor

[Brandon Ramirez]

I like this idea.  I'll probably get yelled at for saying this, but if the
registrars for this gTLD agreed to lay out certain validations during the
registration process, then it could make RP's lives easier by only accepting
OpenID's based under that gTLD.  If the registrar validates certain policy
claims, such as an OP requiring strong authentication or password rotations,
then they can publicly advertise that information and the OpenID spec could
perhaps include that for clients.

I see the strongest barrier to entry for OpenID not to be the consumer, but
the RP.  While building a new web site, there is too much risk involved in
supporting OpenID or any distributed authentication technology because there
is no way to the security of that authentication process.  If registrars had
a procedure for allowing prospective OP's to claim certain features (this
schema would obviously need to be standardized, hence a new spec), such as
strong authentication, phone call verification, etc., then the registrars
could validate these claims and advertise them for RP's.

Just a thought...

- Brandon

On Sat, Sep 27, 2008 at 1:14 PM, Peter Williams <pwilliams at rapattoni.com>wrote:

> Snorri: dont get too excited about national adoptions of stuff.  Vienna is
> fully ENUM enabled, too. Helsinki has full SSO roaming between GSM carriers
> (its built into GSM key management standards!) that allows for phone
> banking.
>
> Its a useful to measure openid focus tho - who ...with (intelligent not VC)
> money to invest ..thinks what! about OpenIDs "core infrastructure problems"
> - What is it that needs solving, at a business/board level that can vector
> OpenId into the "infrastructure" league, that lots of big capital companies
> can then own?
>
> Is is the "means to deal with the 'scourge' of comment spam"? - OpenID
> future is all about reputation management
>
> Is it the means to hold "blog commentators liable for their defamations"? -
> OpenID ensures only authenticated blog-comments are allowed in China ISPs
> ...and lots of dispute management services get sold
>
> Is it the "UCI liberator that frees up social networks"? - OpenID forces
> Facebook to share the ball in the web2.0 playground, like it forced AOL to
> share IM buddies with MSN, Yahoo and jabber (urrr...)
>
> Is it "the URL that will finally save RDF"? - OpenID saves Foaf and
> UI-based ontology-based mashups  (and authenticates SPARQL queries to
> SQLSERVER 2008, while its at it)
>
> Is it now the savior of DNSSEC ? - ie. OpenID gets the Assurance Liberty
> says is missing - by relying on an external (non XRI) trust fabric (Nate's
> main point). Hmm!
>
> Is it an ICANN marketing ploy to decouple secure naming from SSL certs in
> favor of DNS and IPv6?  - Attack VeriSign's ultimate source of leverage in
> the .com name registration market (since SSL/certs do the same as DNSSEC,
> practically)? Who on Earth would have ICANN to do that!!?And, Why!?
>
> Lots to think about.
>
> ________________________________________
> From: general-bounces at openid.net [general-bounces at openid.net] On Behalf Of
> Snorri [snorri at snorri.eu]
> Sent: Saturday, September 27, 2008 9:43 AM
> To: 'Martin Atkins'; 'Hans Granqvist'
> Cc: 'Zdravko Stoychev'; board at openid.net; general at openid.net
> Subject: Re: [OpenID] ICANN - dotOpenID Has Found Its First Sponsor
>
> I agree!
>
> About DNSSEC, e.g.: I believe that the Swedish NIC http://www.iis.se/(also
> in Bulgaria: ".bg") already use and sign with DNSSEC for their ccTLDs
> domains...
>
> -Snorri
>
> -----Message d'origine-----
> De : Martin Atkins [mailto:mart at degeneration.co.uk]
> Envoyé : samedi 27 septembre 2008 10:55
> À : Hans Granqvist
> Cc : Snorri; board at openid.net; general at openid.net
> Objet : Re: [OpenID] ICANN - dotOpenID Has Found Its First Sponsor
>
> Hans Granqvist wrote:
> > Wrong end of the URL!
> >
> > A big problem with OpenID is that it uses ugly URLs as identifiers.
> > That they start with "http://" and have dots. It's not what TLD they
> > end with that is a problem.
> >
> Much like when URLs are published in the press, the http:// prefix and
> the single-slash path component can be omitted when displaying these
> URLs to users. I wish more RPs would do this.
>
> As for it being a problem that the identifiers contain dots... that's
> clearly a subjective issue!
> > Anyway, compared to say, ".com", how will creating ".openid" help
> > improve anything? Looks like a misspelling of "opened". "myid"
> > isn't much better.
> >
> >
>
> One thing that amuses me about this proposal is that putting everything
> OpenID in one DNS domain would make it look a lot like the first version
> of Sxip where the IdPs where subdomains of sxip.com (or something like
> that; it's been a while.)
>
> I know that's not exactly what's being proposed here, but it did make me
> chuckle from a "what's old is new again" perspective.
>
> One thing I would be interested to know is whether having a new
> top-level domain for identifiers would make it possible to use different
> rules inside that domain such as requiring DNSSEC. It's become clear
> that getting DNSSEC deployed right at the root and in the existing TLDs
> is not happening soon, but perhaps it can be used under a new TLD if RPs
> support it. I confess to not knowing a great deal about DNSSEC, but it
> seems to me that in order for it to be worth having a new TLD
> *something* has to be different to the existing free-for-all domains.
> Addressing the concern that OpenID depends on DNS and DNS is insecure
> would be a useful goal.
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080927/b11b42e8/attachment-0002.htm>