[OpenID] Backwards Compatibility

Peter Williams pwilliams at rapattoni.com
Wed Mar 18 09:20:07 UTC 2009 


The test today should be, merely: is there some mechanism provided by the RP which enables a user with an RP session to register the CA certs of the OPs s/he uses. Yes, I recognize that - to be keep things ultra contained for the openid "library-centric" programming culture - a user may need to use first the rendezvous-point of a megaOP to access the RP via openid, over which channel one then performs the act of CA/CTL registration.

"Bootstrapping" discovery schemes and Rendezvous-point mapping directories are well understood topics, in the multicast key management world. They enable source-based multicast routing trees to cooperate with a sparse domain of consumers. If openid can just adopt the abstract model of a bootstrap, we will have found the initial crack in the 80:20 rule armor on the topic - through which openid will later be able to further evolve - and later properly exploit with internet-centric discovery protocols that are part of the internet security architecture.

I think people should be allowed to provide there own service and take there own risks if they are informed.
However there is never guarantee that any ID will be accepted at every RP.

For you and Shade I have added an OSIS test for RPs accepting CA Cert certificates.

This is a bit of an odd test, in that I honestly don't know if accepting the cert is pass or fail.
I think what to do should be left up to the RPs policy.

In any event there is now a test that people can run to check what a RP is accepting.
https://test-id.org/RP/CACert.aspx

Regards
John Bradley

On 17-Mar-09, at 3:01 PM, general-request at openid.net<mailto:general-request at openid.net> wrote:


Date: Tue, 17 Mar 2009 15:01:20 -0700
From: Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>>
Subject: Re: [OpenID] Backwards Compatibility
To: Andrew Arnott <andrewarnott at gmail.com<mailto:andrewarnott at gmail.com>>, Allen Tom
              <atom at yahoo-inc.com<mailto:atom at yahoo-inc.com>>
Cc: "general at openid.net<mailto:general at openid.net>" <general at openid.net<mailto:general at openid.net>>
Message-ID:
              <BFBC0F17A99938458360C863B716FE46398DCA858A at simmbox01.rapnt.com<mailto:BFBC0F17A99938458360C863B716FE46398DCA858A at simmbox01.rapnt.com>>
Content-Type: text/plain; charset="us-ascii"

Hmm. Now I object.

That presupposes (yet again) that only well known OPs are of any consequence.

What SSL taught us is that what really matters is the a half billion SSL domains that hardly anyone knows about (they are almost all wifi routers, with a self-signed cert for https admin)

All depends on what the mission of openid is. 10 giant megaOPs, or the little guy (of which there  are a lot).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090318/68521794/attachment-0002.htm>

More information about the general mailing list