[OpenID] One-Click OpenID: A Solution to the NASCAR Problem

[Peter Williams]

Ive begged people to use the client cert to myopenid for several years...

 

It was always seen as a double edged sword though (undermining the need for the openid protocol, itself). Thi topic is worth understanding, as its goes to the heart of governance.

 

Folks were/are worried about the bootstrap-problem. this is one in which an IDP with an assertion protocol introduces subscriber X to lots of RPs, who then dump the IDP and just use the subscriber's client cert directly (cutting out the IDP, thereafter).

 

This scenario terrified the old VeriSign product managers (and execs), for example, worried about being dis-intermediated by the RP talking to a verification agent willing to speak for several certs authorities oeprating a a fraction of the VeriSign cost basis (once VeriSign had done the HARD task of first-introduction). VeriSign had no opportunity to recoup its cost outlay (that is), only enabling its competitors.

 

 

This comes down go governance, though. Some folks NEVER learned to sepearate cert issuing (and liability control) from governance of the RP, thereafter, or the associating of revenues with continuing governance (over downstream privacy policy enforcement, say).

 

I was VERY VERY pleased to see a mature Google (as IDP) did not have that hangup, allowing the Microsoft bridge (between openid protocols and ws-fedp protocols used by our Windowsy realty systems) to add a bit of value (doing some a few protocol conversion steps, for a variety of bit formats). I gave me some renewed hope about openid quite recently (to be honest) - which Id kind of written off.