[OpenID] OpenID Providers Invited to Join in an NSTIC Pilot Proposal
Peter Williams
home_pw at msn.com
Sun Feb 12 23:12:09 UTC 2012
There are two levels of discussion. Im not really entitled to one about who or what kind of solution/profile is endorsed (not being a foundation member; though if I were I still dont think it would make the slightest different, since money is power). The other is technical, and to do with things like keygen, javascript, or this or that standard of web browser. As I was saying in another forum recently, the US has inverted its Internet position from 20 years ago. Before, folks hated the world of ITU-T, or ETSI, or any other forum designing "telco-centric" service solutions, based mostly on the interests of Fortune 1000 companies (and everyone who touches the output of one, which is 90% of us as consumers and investors and supply chain partners, and ...). It wanted the wild-west internet, full of a thousand flowers blooming, and indeed a certain rebelliousness and anti-international (i.e. Euro) telcos. They were the enemy culture, preventing the latest widget becoming all the rage, for a few months. Openid, as founded, came at the tail end of that, of course. Now, the main openid foundation membership is conformed of huge companies, wanting a more regular world (that faciliates their business models). This world likes ITU, and ETSI - these days. This is how you manufacture a world where you get to work the way that suit huge capital outlays, on 20 year capitalization plans... Ive been there (although it was 20 years ago, when I used to be involved in value-added telco). When one reads how openid is characterised in international draft standards or ETSI documents, its not exactly consistent with the rebellious end of openid. Its rather more as Don elaborated - a process of creating the conditions that make it all more palatable for huge companies (to reach out to huge numbers of us). And this may WELL mean profiling techical options - down to what suits that. Its almost a taming process (on that damn, wild-west internet). One such profile option might be in the certs world, where a certified identity might interact with an OpenID provider as a source of attributes. Any such interaction may have to suit the foundations public positions though, on attribute handling, or privacy policies, o discovery popups, or this or that. Sure! you can logon to myopenid as OP using an SSL client certs (but ONLY when the issuer is myopenid, and you have a business/paid account). And, yes, they wont allow then the cert to be released as an attribute. NOw, thats a myopenid profile (not a openid "endorsed" profile); and the firm is entirely entitled to set such limits, to fit its business model. Another profile for openid endorsement, thoughmight say: we only care about the latest browsers (with javascript and HTML5 "keygen()") and dont care about older smartcards or PIV cards as means of keying UAs doing https client certs. Only THEN, do we "the foundation": endorse the "profile" of openid that fits with certs - so it fits with wider governance stances and positioning. After all, we have spent 2 years stating what we are about in the likes of ITU or ETSI (and we need to be consistent). Perhaps that position wants a world of certs envsioned in the post HTML-5 era, with cipher suite and mandatory key managemnt practice... So, when you folks invite a response, I analyzed the form of the constraints - trying to determine if it embedded the foundations public position on "profile" rules, re the interaction of certs and openid OPs. In my world, folks already have certs, and muti-year relationships with CAs and certain device makers, that are even trusted by certain Federal govenrment relying parties. I cannot change this, and cannot move to a vision of the world that does HTML keygen for those certs, or start using certs minted by some openid OP. This is not a blank canvas, for me. I already have certs and IDPs from the last 10 years... Thus is openid's endorsed position (in backrooms or in public) assumes something contrats, openid+certs is useless to me (for the next few years). If the NSTIC world positioning agreed between the foundation (or mroe likely its members acting for themselves) and the US Feeral govenrmnet assumes a certain model of cert-based identity and openid-based crednetiality and asserting (and attribute management), then its worth knowing. Openid in its "NSTIC-profile" may not fit us... and indeed NSTIC may not fit us (as currently conceived in the minds of the program managers). We may want - as a national trade group with not inconsiderable power of influence - be asserting that, though the usual methods. If NSTIC is a forum for feedback and national interplay (and not just a forum for backroom cloud of DoD/DHS vendors to get what they have already decided upon...regardless) it may be well worth participating (in the process, not that I would expect result to be particularly relevant for 2-5 years). If its here to be raid-roaded through, with a profile that is already agreed betwen ITU, NIST and ETSI, perhaps its not worth bothering with taking a position... Perhaps we just wait until its all de facto, and then do it as a late stage adopter (like it or lump it). Personally, I want to jump in and make stuff happen. But, I have to remember Im a CISO now, not a programmer throwing stuff at the wall to see if it takes off. Date: Sun, 12 Feb 2012 14:03:21 -0800
From: fcorella at pomcor.com
To: eddy_nigg at startcom.org; openid-general at lists.openid.net
CC: kplewison at pomcor.com
Subject: Re: [OpenID] OpenID Providers Invited to Join in an NSTIC Pilot Proposal
Eddy,
I just didn't know that StartSSL was also an OpenID provider.
One thing that's new in our pilot proposal is the use of keygen for
automatic issuance of certificates. I now know that you do issue
certificates automatically, I tried it out yesterday. But you don't
use keygen, do you? I suppose you use JavaScript to generate the
keypair and to import the certificate? If so the keygen
extension we are proposing would be simpler: no JavaScript code would
be needed. It would also be more secure, since it is difficult if not
impossible to secure the Javascript environment. See
http://www.matasano.com/articles/javascript-cryptography/.
Francisco
From: Eddy Nigg (StartCom Ltd.) <eddy_nigg at startcom.org>
To: 'openid-general' <openid-general at lists.openid.net>
Sent: Saturday, February 11, 2012 9:14 AM
Subject: Re: [OpenID] OpenID Providers Invited to Join in an NSTIC Pilot Proposal
On 02/11/2012 01:58 AM, From Francisco Corella:
FYI:
http://pomcor.com/2012/02/10/openid-providers-invited-to-join-in-an-nstic-pilot-proposal/
Without offending, but what's the news? StartCom (and maybe some
others) do this already for years: https://www.startssl.com/?app=14
A pilot for something that works in production already for years? Or
am I missing something?
Regards
Signer:
Eddy Nigg, COO/CTO
StartCom Ltd.
XMPP:
startcom at startcom.org
Blog:
Join the Revolution!
Twitter:
Follow Me
_______________________________________________
general mailing list
general at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
_______________________________________________
general mailing list
general at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20120212/f64907ef/attachment.html>
More information about the general
mailing list