[OpenID] TransparencyCamp and OpenID (U)
Peter Williams
pwilliams at rapattoni.com
Wed Mar 11 17:38:25 UTC 2009
SSL took lots baby steps on the way to becoming a defacto security service for the web - with several levels of assurance available for one to choose from, depending on the potential of actual loss.
In those baby steps, DoD/NSA endorsement and contribution of the steps around SSLv3 certainly helped (as did the move into the business world of various agency workers with largescale DoD/Natsec secure phone/data infrastructure experience: helping the crypto-corrupt world of banking/telco move into relatively decent security services for the "mainstream web", free of inherent national biases)
But concerning baby steps, there were many. First some root keys. Then 4 static root keys. Then a few one-level cert chains. Then long cert chains. Then 509 v3 control extensions. Then key escrow. Then elimination of the American ciphers. Then crls. Then delta crls. Then stateless servers. Then ocsp. Then role reversal. Then ocsp with DR multi-homed cert chains; then cert chains with ocsp control extensions. The multicast key management, and connectionless bearers... And that only describes historical normalization work. Lots of vendors did far more, in vendor-enhancements.
(A really savvy vendor would be merging openid with the ssl handshake, too: a new hello extension, and a custom close phase message tuned to nature of websso. Then we could upgrade https to use XRDs instead of the DNS/cn= kludges, moving https on from its rather now rather tawdry legacy mechanisms for namespace management)
> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Ben Laurie
> Sent: Wednesday, March 11, 2009 8:50 AM
> To: SitG Admin
> Cc: general at openid.net
> Subject: Re: [OpenID] TransparencyCamp and OpenID (U)
>
> On Wed, Mar 11, 2009 at 3:19 PM, SitG Admin
> <sysadmin at shadowsinthegarden.com> wrote:
> >>> I largely favor the government accepting third-party OpenID
> Providers
> >>> for
> >>> authentication, just as they do allow for email provider choice.
> >>
> >> Wow, really? Wouldn't you prefer a protocol with some actual
> security?
> >
> > Baby steps.
>
> Over cliff edges.
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
More information about the general
mailing list