[OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP implementations)

[Peter Williams]

“CAs who fail to meet the burden of proof for the broad business value of their offering to Microsoft customers.”

The program listed fails UCI test.

In UCI, the user (all 6 billion of us) decide which OP is good, which CA is good - not Microsoft business analysts.


From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Jorgen Thelin
Sent: Friday, January 02, 2009 7:13 PM
To: Eddy Nigg (StartCom Ltd.); general at openid.net >> "general at openid.net"
Subject: Re: [OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP implementations)

While considering these issues, you guys may be interested to see the details of the Microsoft Root Certificate Program.

http://technet.microsoft.com/en-us/library/cc751157.aspx

The Microsoft Root Program lists the details and requirements for the Microsoft Root Certificate Program.

The MS Root Program attempts to establish a minimum baseline for PKI-based security -- to at least warn Windows / IE users before that make some obviously bad decisions around SSL trust – such as warning users before they access sites that use certificates with known weak hash algorithms.

You can see the technical requirements for CAs in the above document that are used by any browsers running on Windows.

 “Identity is easy, but Trust is hard!”


From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Eddy Nigg (StartCom Ltd.)
Sent: Friday, January 02, 2009 2:01 PM
To: general at openid.net >> "general at openid.net"
Subject: Re: [OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP implementations)

On 01/02/2009 10:45 PM, Martin Paljak:
On 02.01.2009, at 15:16, Eddy Nigg (StartCom Ltd.) wrote:
Martin, failures and disclosing them serves the purpose to improve and prevent them. I'm responsible for disclosing one of the listed above, which however doesn't mean that public certification is a total failure. It speaks rather for the dedication and also the ability of the industry to control and improve itself.
Of course disclosure is good. But as you have interests in one CA I have to take your opinion as probably biased ;)

Right! And as such I have an interest that my work isn't de-valued by other CAs. Such is the interest of many CAs and hence there is a real interest that we (CAs) are able to upheld the promises we make as a collective. That's why incidents such as I reported are extremely bad and must not happen. I'm active in different forums out of my biased interest to make and keep PKI reliable.

Disclaimer: Mistakes can happen, negligence must not however.


"Nothing to see here, move along, EV fixes everything". Yes - technically, within the boundaries set by the established CA business, everything is OK and will be even better with EV. But I try to question the existing, current approach of CA-s doing business under the name "trust business". CA-s should deal with certification and users should be dealing with trust issues and decisions. PKI as we know it now is not an implementation I like as a (loud minority) user.

Well, the minority of the Netizens have the ability to make the decisions you like them to make. I'm not sure about you, but how many CP/CPS of CAs have you read recently before making a decision if to trust?

Good question. As "you can do anything with OpenID" I believe it is left open - you can do whatever if you want if you consider it useful.
Sure, that's why we are here, aren't we? :-)
Regards



Signer:

Eddy Nigg, StartCom Ltd.<http://www.startcom.org>

Jabber:

startcom at startcom.org<xmpp:startcom at startcom.org>

Blog:

Join the Revolution!<http://blog.startcom.org>

Phone:

+1.213.341.0390




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090103/ff0e9aac/attachment-0002.htm>