[OpenID] Windows Live ID OpenID CTP Status Update (August 2009)

Peter Williams pwilliams at rapattoni.com
Fri Aug 28 18:42:25 UTC 2009 

As a break from the past, and in deference to openid's uci basis,
consider publishing the root cert for https-based discovery and op
identifier endpoint interworking (also) as self signed certs (from a
https url chaining to a common public ca).

Public ca typically impose relying party agreements (on cert users,
and the "protected" transactions). We don't want conflict of legal
controls, where the rp is under 1 set of legal obligations concerning
reliance during association formation and discovery, the user is under
another set imposed by the op, and a third set of obligations from the
ca serving the rp website will probably seek to govern further with
yet more rules (that may well conflict with those projected by the ca
serving the op, and/or the terms of use set by the resource site
itself).

Unlike the https launch (which had years of careful 3-party legal
design behind it), openid has no (multi party) legal design or even a
framework for resolving conflicts of reliance limits, reliance
policies, reliance obligations, ...

Though this could be solved by requiring 1 ca throughout the entire
sequence flow, that unfortunately conflicts with the decentralized goal.


On Aug 28, 2009, at 11:14 AM, "Jorgen Thelin" <jthelin at microsoft.com>
wrote:

>> will allow for 100% https usage
>
> Yes, that is one of our core requirements for the production
> release :)
>
> We will also provide a "Login with Windows Live ID" type button for
> RP's to use.
>
>
> -----Original Message-----
> From: openid-general-bounces at lists.openid.net [mailto:openid-general-
> bounces at lists.openid.net] On Behalf Of Peter Watkins
> Sent: Thursday, August 27, 2009 9:23 PM
> To: Peter Williams
> Cc: openid-general at lists.openid.net
> Subject: Re: [OpenID] Windows Live ID OpenID CTP Status Update
> (August 2009)
>
> Peter Williams wrote:
>> So the experiment with directed I'd to allow users to release
>> different identity urls/synonyms to subsets of relying part sites
>> has failed. Even yahoo has withdrawn, I believe.
>>
> Where'd you get that impression? I just now logged in to Yahoo and
> verified that I can still use the "OpenID Home" link to get the UI for
> requesting additional "me.yahoo.com" identifiers, and their OP login
> flow still lets me choose between the very ugly unique ID they first
> created for me, and the slightly less ugly identifier that I
> created. So
> they still seem to support directed identity and allowing users to
> create a set of alternative identifiers.
>
> Or maybe I'm not understanding what you're saying. It wouldn't be the
> first time. ;-)
>
> Windows Live folks -- thanks for sharing. I look forward to digesting
> this tomorrow. And I look forward to seeing your final solution. I do
> hope it, like the offerings from Yahoo! and Google (and, if I recall
> correctly, the CTP setup), will allow for 100% https usage, so we can
> trust the process. If so, I'm sure we'll add an easy "Login with
> Windows
> Live ID" button to our RP site. If not, we won't accept Live as an OP,
> even if a user is geeky enough to enter a valid URL in the OpenID
> text box.
>
> -Peter
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>

More information about the general mailing list