<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Summing up a little bit...<br>
<br>
With all the discussion going on here and also off-list by various
community members I come to the following conclusion for now:<br>
<br>
1.) A third party body, which would perform various services for IDPs
(and RPs) is generally welcome. This body shouldn't be controlled or
founded by the OpenID Foundation, however members of the OpenID
community might participate freely.<br>
<br>
2.) Any sincere IDP should be able to register and advertise its
service in a basic configuration with no strings attached. Any promises
of the IDP such as SSL secured site, certificate login, smart card
usage etc shall be verified and confirmed by the third party body. This
includes identity/organization validation of the IDP itself as well.<br>
<br>
3.) ID validation performed by the IDP itself or other third party
confirmations such as from web-of-trusts and CAs is another aspect the
body might confirm.<br>
<br>
4.) Blacklists have obviously their drawbacks but might be needed under
a certain conditions. It would be useful to include this service for
RPs, specially in order to prevent spam on forums, blogs which most
likely won't have many restrictions or conditions on the IDP.<br>
<br>
An RP might set the level of requirements, for example:<br>
<br>
Check Blacklist = Yes<br>
IDP SSL secured = Yes<br>
<br>
or<br>
<br>
IDP SSL secured = Yes<br>
Certificate Login = Yes<br>
ID web-of-trust validated = Yes<br>
<br>
or even<br>
<br>
IDP SSL secured = Yes<br>
IDP operator validated = Yes<br>
ID CA validated (Class 2 or higher) = Yes<br>
ID Smart Card = Yes<br>
<br>
Or many other combinations...Any IDP can register and provide any of
the options or none. The third party body confirms that the IDP in
question has been checked/verified to provide the services in question
according to a criteria the body has to setup. In addition, the body
would organize and manage a blacklist.<br>
<br>
Suggestions? <br>
<br>
<div class="moz-signature">-- <br>
<div><font face="Arial" size="2">Regards</font></div>
<div><font face="Arial" size="2"> </font></div>
<div><font face="Arial" size="2">Signer: Eddy Nigg, StartCom Ltd.</font></div>
<div><font face="Arial" size="2">Jabber: <a class="moz-txt-link-abbreviated" href="mailto:startcom@startcom.org">startcom@startcom.org</a></font></div>
<div><font face="Arial" size="2">Phone: +1.213.341.0390</font></div>
</div>
<br>
Scott Kveton wrote:
<blockquote
cite="mid:6ab6c4990707160906p76ae4043gfb242326c64c16d6@mail.gmail.com"
type="cite">
<blockquote type="cite">
<pre wrap="">@Scott: You can support a centralized list of certified OpenID
servers, as long as it isn't part of the OpenID foundation? :-)
</pre>
</blockquote>
<pre wrap=""><!---->
Email has had this problem for years and the solution was the creation
of real-time blackhole lists (RBL's). I've used these for years and
have been so thankful they exist. However, they are not without their
problems. Liability and litigation have caused all sorts of problems
for RBL's ... apply this to identity and the legal minefield gets that
much more crowded.
So, my stupidly long-winded response to your question is this; I'll
personally use a centralized list of "trusted" (<- in quotes because
its a fully-loaded word) OpenID providers if it exists but I don't
believe that the OpenID Foundation should advocate, sponsor, implement
or specifically support any one.
- Scott
_______________________________________________
general mailing list
<a class="moz-txt-link-abbreviated" href="mailto:general@openid.net">general@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a>
</pre>
</blockquote>
<br>
</body>
</html>