[OpenID] Fwd: [dotnetopenid] DotNetOpenAuth announces supportofthe Government profile of OpenID international evssl

John Bradley john.bradley at wingaa.com
Wed Sep 9 23:37:12 UTC 2009 

If you have a EVSSL cert for client auth they would take that and  
forget openID.

They do that now.   The CA is the IdP in that case.

No an GSA RP will not trust something that is a IdP that has not been  
audited to meet the profile and Privacy guidelines.

The big problem with the SSL solution is that it is coralatable by   
the RP so doesn't meet  the anonymity requirements that some of the  
agencies have.  It works better at LoA 2 and up where there is  
identity proofing required, so anonymity is not an issue.

A personal information card where the key pair is pairwise with the RP  
is a better fit at LoA 1.

Andrew Arnott and I did a demo of using a p-card to loginto a openID  
RP without having a IdP involved.

The public key is combined with a RP base URI to create the unique  
identifier.

John B.


On 2009-09-09, at 2:48 PM, nieuwsgroep at evidos.nl wrote:

> How about an evssl cert issued to individuals?
>
> Although the CABforum is not allowing evssl for individuals at this  
> moment, this looks like the most internationally trusted certificate  
> profile.
>
> Would an rp trust my decentralised openid if I installed an evssl   
> cert on https://openid.kick.nl. Two sided ssl  solving the trust  
> issue and the security level?
>
> Kick
> ------Origineel bericht------
> Van:Peter Williams
> Aan: nieuwsgroep at evidos.nl
> Aan: John Bradley
> Aan: openid-general at lists.openid.net
> Onderwerp: RE: [OpenID] Fwd: [dotnetopenid] DotNetOpenAuth announces  
> supportofthe Government profile of OpenID
> Verzonden: 9 sep 2009 19:44
>
> Cross-certificates at the ssl level...?
>
> GSA bridge to NL bridge?
>
> (The original purpose of certPolicy OID in X.509 v3 was for  
> assurance statements, before Entrust hijacked it to become a control  
> signal for automated cert chain validation, in general.)
>
> -----Original Message-----
> From: openid-general-bounces at lists.openid.net [mailto:openid-general- 
> bounces at lists.openid.net] On Behalf Of nieuwsgroep at evidos.nl
> Sent: Wednesday, September 09, 2009 10:06 AM
> To: John Bradley; openid-general at lists.openid.net
> Subject: Re: [OpenID] Fwd: [dotnetopenid] DotNetOpenAuth announces  
> support ofthe Government profile of OpenID
>
> How about a dutch (international) OP fullfilling all criteria? Maybe  
> not today, but  what was the scope of this scheme? We in the  
> Netherlands are defining a scheme as well. We have discussions about  
> governement allowing OP's from other countries, because ie.  an  
> italian needs info of a dutch governement site (EU directive).  And  
> yes i know google, verisign etc are international company's and we  
> have to think in small steps, but it would be interesting to hear  
> gov2 discussions on this. Anyone?
>
> Kick
> ---
>
> -----Original Message-----
> From: John Bradley <john.bradley at wingaa.com>
>
> Date: Wed, 9 Sep 2009 12:06:47
> To: <openid-general at lists.openid.net>
> Subject: [OpenID] Fwd: [dotnetopenid] DotNetOpenAuth announces  
> support of
>        the Government profile of OpenID
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>
> ---

More information about the general mailing list