[OpenID] OpenID Providers Invited to Join in an NSTIC Pilot Proposal

Peter Williams home_pw at msn.com
Tue Feb 14 17:55:24 UTC 2012 

what is news to me is that the foundation took upon itself to break free of the somewhat-specious buckets - that openid (the approach) was inherently unassurable (and thus LOA1).A lot of political energy went into characterizing openid - the brand - as only for "that which doesnt matter".

 

Remember, consumers dont think in terms of formal technical definitions, or NIST criteria. They think in terms of rough classes of assurance. 

 

1 There is me when being a pill on a blogging site, ranting on a topic I know nothing about after a beer (wishing I hadnt, the next day). There may even be me writing a blog, on something half adult. There is also me payign subscription using a credit card to 100 media outlets.

 

2 there is me doing paperwork when I get a job and do tax deductions (that hurt my pay cheque), or pay the road tax, or get a smog certificate for a vehicle; or licensing my shotgun for use in my extensive backyard. 

 

3 there is me signing and certifying my annual tax form (under penalty of perjury), or registering a baby for a passport; or seeking government benefits (based on elgibility)

 

4 And there is me playing james bond, with instant, tamperpoof satellite communciations, all used to save the planet just in the nick of time.

 

The last one has yet to happen for me (and probably wont). The other three are 80:15:5 percent of my arrangements.

 

that openid intends - as a brand - to address the 2nd and 3rd categories is what is news (to me) - but remember Im not a foundation member. That there are bits and bytes of "more evolved" security protocols in the works was not (having seen all the same stuff done several times with different bit formats, over the years).

 

if it helps, I can tell a story that may align with what the foundation has been doing. It may even mean the story is "resonating" (generally).

 

lets week a really good engineer came to be and said: look, we cannot stand any more the fact that the web site farm talks to the web services (and the database) [farms] using trusted accounts. We want the user identity to drive what the (data center) web services does, and limit its access in the backroom. Its just too risky.

 

I nearly fell of my seat, at hearing this (having said what we HERE all know is "proper" for years). Previously, the de facto and loud response was: its just not "important" (or economic). Go away, and talk to academics about stuff 15 years down the road.

More information about the general mailing list