[OpenID] One-Click OpenID: A Solution to the NASCAR Problem
Melvin Carvalho
melvincarvalho at gmail.com
Fri Feb 17 13:46:41 UTC 2012
On 16 February 2012 21:30, Peter Williams <home_pw at msn.com> wrote:
>
> Ive begged people to use the client cert to myopenid for several years...
>
>
>
> It was always seen as a double edged sword though (undermining the need for the openid protocol, itself). Thi topic is worth understanding, as its goes to the heart of governance.
>
>
>
> Folks were/are worried about the bootstrap-problem. this is one in which an IDP with an assertion protocol introduces subscriber X to lots of RPs, who then dump the IDP and just use the subscriber's client cert directly (cutting out the IDP, thereafter).
>
>
>
> This scenario terrified the old VeriSign product managers (and execs), for example, worried about being dis-intermediated by the RP talking to a verification agent willing to speak for several certs authorities oeprating a a fraction of the VeriSign cost basis (once VeriSign had done the HARD task of first-introduction). VeriSign had no opportunity to recoup its cost outlay (that is), only enabling its competitors.
>
>
>
>
>
> This comes down go governance, though. Some folks NEVER learned to sepearate cert issuing (and liability control) from governance of the RP, thereafter, or the associating of revenues with continuing governance (over downstream privacy policy enforcement, say).
>
>
>
> I was VERY VERY pleased to see a mature Google (as IDP) did not have that hangup, allowing the Microsoft bridge (between openid protocols and ws-fedp protocols used by our Windowsy realty systems) to add a bit of value (doing some a few protocol conversion steps, for a variety of bit formats). I gave me some renewed hope about openid quite recently (to be honest) - which Id kind of written off.
IMHO one of the purposes of OpenID is to persuade product managers not
to fear openness on the web. Indeed, it can be a competitive
advantage.
I think all of the aspiring ID systems on the web can complement each
other by agreeing the Identity is represented by a URI. Then your
sign in process is just a flavor of same concept.
Perhaps facebook connect is already there. the very first post on
OpneID / Yadis made this clear, but perhaps that element has become
slightly faded over the years.
This also leads to the next phase which is Trust.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
More information about the general
mailing list