[OpenID] Verisign Announces Free OpenID Digital Lockbox

Peter Williams pwilliams at rapattoni.com
Sat Feb 21 07:33:19 UTC 2009 

It may be conceived to be exactly what you say.

I didn't look at the OAUTH hybrid model element of the work  -- in which presumably the OP (cum authentication authority) acts as an OATH-SP storing not browser-uploaded photos but "just purchased stuff" now released to the openid auth authenticated subscriber (only) by the OAUTH-consumer=OpenID-Consumer.

Knowing VeriSign's business model for selling TTP services, the intent will _probably_ be to have the OP's trusted vault becomes the DRM enforcement point for the consumer site(s) selling "content"that can be "played" on other RP sites, etc. Finally a business model for OPs and social networks - the crypto-based shared-policy enforcer... for n RP sites! (aka the TTP business, a la AOL/MSN of the 1996 period!)

It is more interesting than the typical OATH world _because_ the OAUTH-Consumer is exploiting the security handshake to get for the OATH-RP write privileges (on the trusted vault) and get perhaps even participation in the keying of the RP-property deposited material within said vault., where the shared keying controls -- DRM-like - control data-release to other RPs.

Peter.

From: Chris Messina [mailto:chris.messina at gmail.com]
Sent: Friday, February 20, 2009 9:28 PM
To: Peter Williams
Cc: Andrew Arnott; OpenID List
Subject: Re: [OpenID] Verisign Announces Free OpenID Digital Lockbox

Personally, I'm interested in, at least in terms of how I read it, which may not be at all what this thing is, is a storage-in-the-cloud discovered off of your OpenID.

For example, I sign in to Amazon.com with my OpenID, it discovers my "Lockbox" or "Digitial Locker", I do the hybrid dance so that Amazon can dump stuff into my Lockbox, and then whenever I purchase MP3s or hardware that come with digital manuals, Amazon just passes the data directly to my Lockbox.

No need for me to download/save to my local machine.

If that's not what this is, then, oh well.

Chris
On Fri, Feb 20, 2009 at 12:10 PM, Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>> wrote:

So it's a proprietary initial login to an OP (that happens to do some encrypted file store stuff, possibly leveraging the proprietary token for key management). This seems useful, if yuou think that store holding the same kind of consent/audit/release logs that myopenid keeps around (tracling/tracing your communications with RPs)



Once you have a session, it happens to offer openid assertions to SPs.



The behavior seems similar to the Google BlogSpot  service, where you had to first login to BlogSpot using google proprietary means, and only then could you leave an authenticated comment on the blogspot site using some (or other ) OP. In reality Google was tracking your comment using the proprietary means, but one was present in  the OP name to comment readers.









From: general-bounces at openid.net<mailto:general-bounces at openid.net> [mailto:general-bounces at openid.net<mailto:general-bounces at openid.net>] On Behalf Of Andrew Arnott
Sent: Friday, February 20, 2009 11:08 AM
To: Chris Messina
Cc: DiSo Project; OpenID List
Subject: Re: [OpenID] Verisign Announces Free OpenID Digital Lockbox



Sorry... this doesn't seem like OpenID authentication to me.  Verisign only lets you log into the vault using your PIP account, which although PIP is an OpenID Provider, means that OpenID has nothing to do with your authentication experience.  You can't use any openid to log in -- you just log in with your PIP username and password, and a hardware credential that costs at least $30 to boot.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire

On Fri, Feb 20, 2009 at 10:57 AM, Chris Messina <chris.messina at gmail.com<mailto:chris.messina at gmail.com>> wrote:

I find this very interesting:



http://infosecurity.us/?p=6437

http://blogs.verisign.com/innovation/2009/02/pip_update_a_free_secure_digit.php



It's how it works over OpenID that is most compelling (though this is really just the OpenID + OAuth hybrid, minus OAuth):



http://infosecurity.us/images/openid_protocol.png



So basically it's like MobileMe attached to your OpenID, with the ability to provide delegated access!



Thoughts?

Chris
--
Chris Messina
Citizen-Participant &
 Open Web Advocate-at-Large

factoryjoe.com<http://factoryjoe.com> # diso-project.org<http://diso-project.org>
citizenagency.com<http://citizenagency.com> # vidoop.com<http://vidoop.com>
This email is:   [ ] bloggable    [X] ask first   [ ] private

_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net>
http://openid.net/mailman/listinfo/general





--
Chris Messina
Citizen-Participant &
 Open Web Advocate-at-Large

factoryjoe.com<http://factoryjoe.com> # diso-project.org<http://diso-project.org>
citizenagency.com<http://citizenagency.com> # vidoop.com<http://vidoop.com>
This email is:   [ ] bloggable    [X] ask first   [ ] private
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090220/08425973/attachment-0002.htm>

More information about the general mailing list