<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hi Stephan,<br>
<br>
I hope we all agree that SMTP sucks! We all suffer from it really...But
because it's extremely popular, many different solutions are tried with
more or less success to overcome spam and phishing. SMTP was developed
in the 80s and nobody can blame the inventor of this protocol for not
seeing into the future.<br>
<br>
XMPP however is aware of the threats and are openly working on
preventing spam: <a class="moz-txt-link-freetext" href="https://stpeter.im/?p=1989">https://stpeter.im/?p=1989</a><br>
Also XMPP tries to improve security aspects: <a class="moz-txt-link-freetext" href="https://www.xmpp.net/">https://www.xmpp.net/</a><br>
<br>
Now in the real world and also in PKI the relying party is the one to
be protected. In PKI the concern is the relying party (end user) who
need assurances for doing X or Y on the Internet (including purchase,
socializing, commerce etc).<br>
<br>
However in the OpenID world, the relying party is NOT the end user**
(having an account), but web sites. The web sites wishing to make use
of OpenID as an authentication form are the relying party. It's their
sites which get screwed and spamed. You say below: <br>
<br>
"A bad OP can only do nasty things if user X chooses to use them."<br>
<br>
But if you can be your own OP, than you are also the user and the OP!
So a bads user is also a bad OP! I don't want to rely on bad OPs.
Therefore there must be a mechanism which allows any sincere
person/organization to run their own OP, but prevent the bad guys from
doing that. Proposals have been posted to this list and thread.<br>
<br>
** The end user obviously can also be a screwed by IDPs (by weak server
security, identity theft and simple fraud), but as you mentioned
correctly, this is the end users choice if he relies on a third party
identity provider (IDP).<br>
<br>
Stephen Paul Weber wrote:
<blockquote
cite="mid:6991f8e00707201220i4d37f2b4xd6e88b36ad7ba4ae@mail.gmail.com"
type="cite">I have to agree here. There are decentralized
technologies that work : SMTP and XMPP being the most popular. An RP
needs to be able to trust users, not OPs. The protocol proves that
user X has chosen OP X and controls URI X. A bad OP can only do nasty
things if user X chooses to use them. USERs can be nasty, but OPs
serve a pretty basic function.
<br>
<br>
<div><span class="gmail_quote">On 7/8/07, <b class="gmail_sendername">Brendan
Taylor</b> <<a moz-do-not-send="true"
href="mailto:whateley@gmail.com">whateley@gmail.com</a>> wrote:</span>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">On
Sun, Jul 08, 2007 at 01:59:02AM +0300, Eddy Nigg (StartCom Ltd.) wrote:<br>
> like self-signed certificates. A relying party can choose to trust
them<br>
> but nothing has been verified or guarantied in any form (not even
the
<br>
> integrity of the authentication process). For me as relying party<br>
> running a forum or web log, this is not really assuring...not to
speak<br>
> about other potential login facilities.<br>
<br>
This is something I've never understood - why does an RP need to trust
an
<br>
OP? If this is about spam, then surely it makes more sense to determine<br>
trust per-user (and possibly blacklist OPs).<br>
<br>
I especially don't understand why the RP cares about "integrity of the<br>
authentication process". Surely it should be the user's responsibility
<br>
to select an OP with the security they require.<br>
<br>
I think this is going in the wrong direction; I would be very<br>
disappointed if OpenID lost its decentralization, and I'm not sure why<br>
people think it needs to.
<br>
<br>
_______________________________________________<br>
general mailing list<br>
<a moz-do-not-send="true" href="mailto:general@openid.net">general@openid.net</a><br>
<a moz-do-not-send="true"
href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general
</a><br>
<br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
- Stephen Paul Weber, Amateur Writer<br>
<<a moz-do-not-send="true" href="http://www.awriterz.org">http://www.awriterz.org</a>><br>
<br>
MSN/GTalk/Jabber: <a moz-do-not-send="true"
href="mailto:singpolyma@gmail.com">
singpolyma@gmail.com</a><br>
ICQ/AIM: 103332966<br>
BLOG: <a moz-do-not-send="true" href="http://singpolyma.net/">http://singpolyma.net/</a>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
general mailing list
<a class="moz-txt-link-abbreviated" href="mailto:general@openid.net">general@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<div><font face="Arial" size="2">Regards</font></div>
<div><font face="Arial" size="2"> </font></div>
<div><font face="Arial" size="2">Signer: Eddy Nigg, StartCom Ltd.</font></div>
<div><font face="Arial" size="2">Jabber: <a class="moz-txt-link-abbreviated" href="mailto:startcom@startcom.org">startcom@startcom.org</a></font></div>
<div><font face="Arial" size="2">Phone: +1.213.341.0390</font></div>
</div>
</body>
</html>