[OpenID] ICANN - dotOpenID Has Found Its First Sponsor

[Peter Williams]

I wasn't trying to be intellectual (I'm way too dumb).

I was merely trying to assert that there SEEMS to be a wider movement here that has certain beliefs about the trust model underlying an actual OpenID flow between the two principal parties. It expresses beliefs about the form of any such trust model between any two example. One principle is that there is a explicit balance of power between the RP and the OP. This contrasts with other websso schemes, in which the RP is a simple remote agent of an IDP, controlled, manipulated and dumb (like me). There, it doesn't control its own keys (those are managed by CAs), and it doesn't control the assertions even upon receipt (those are still controlled by the issuing IDP, for all time).

What OpenID has in its trust metamodel is expressed in terms like "UCI": the notion that even though you the user are neither of the principals, everything is centered around you in practice - as you are actually "in control". It's actually your data, your flow, your control. You are not merely a subject, about which others are making statements (and owning/controlling/monetizing your member records, your certs, your asserts, your name registrations). It's the opposite of Facebook's business model.

I cannot imagine a VeriSign cert-delivered trust metamodel in OpenID, for example, where a cert about you contains a copyright that controls YOU from using your name in your cert. That's because the VeriSign CPS trust metamodel doesn't conceive of you in the UCI sense (speaking as one of the contributors to the trustmodel in the CPS). VeriSign owns the cert, not you. It owns the data, not you. It owns the IP of the database of certs. It controls where you can use it legally, not you. It covertly spies on your flows to protect you, when required by USG. The only thing you get, is a bunch of obligations that protect the interests of the CA entity and then (only if you are in compliance) the assurance benefits of strong authentication via strong crypto. But, in addressing disputes and the FUD about legal value of crypto signatures, this assurance __was__ valuable, in the early web days.

Today, fail the compliance test mentioned above, you become a non person, denied trustworthy communication benefits. Contrast that with the trust metamodel in UCI, where you the nonperson reinvent yourself with full authority, 10ms later.

As DARPA would say, UCI is a design for survivability - one consistent with one of the founding philosophies of internet/military packet switching. You have autonomy, built in.

-----Original Message-----
From: SitG Admin [mailto:sysadmin at shadowsinthegarden.com]
Sent: Saturday, September 27, 2008 9:48 PM
To: Peter Williams
Cc: general at openid.net
Subject: Re: [OpenID] ICANN - dotOpenID Has Found Its First Sponsor

>RP-centric models simply allows relying parties to overlay their own
>trust model, consistent with the trust metamodel in OpenID.

What you're saying about a trust metamodel sounds interesting (the
term is new to me). Could you elaborate further, please?

-Shade