<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16481" name=GENERATOR></HEAD>
<BODY text=#000000 bgColor=#ffffff>
<DIV dir=ltr align=left><SPAN class=338522209-20072007><FONT face=Arial
size=2>In the end no technology is going to stop people saying things that
are untrue. Stopping this is a going to be a job for the courts. When
somebody says something untrue for personal gain it is
fraud.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=338522209-20072007><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=338522209-20072007><FONT face=Arial
size=2>So for the whitelist/blacklist let people assert
(non)compliance, you verify as far as reasonable, you solicit dispute claims for
untrue assertions, you have terms and conditions which give a legal framework
for compensation/damages (or simply disclaim them).</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=338522209-20072007><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=338522209-20072007><FONT face=Arial
size=2>So in the end the trusting party can only place an amount of trust in a
whitelist/blacklist equal to the level of legal protection plus
any 'gut feeling' aspects of how well they think
the whitelist/blacklist is operated.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=338522209-20072007><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=338522209-20072007><FONT face=Arial size=2>I
think the situation is very similar to SMTP RBL. If you look at the amount of
legal claims MAPS have had to deal with you see the importance of a solid
legal framework!</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=338522209-20072007></SPAN><SPAN
class=338522209-20072007><FONT face=Arial size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=338522209-20072007><FONT face=Arial
size=2>Andrew</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=338522209-20072007></SPAN><SPAN
class=338522209-20072007><FONT face=Arial size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left>
<HR tabIndex=-1>
</DIV>
<DIV dir=ltr align=left><FONT face=Tahoma size=2><B>From:</B>
general-bounces@openid.net [mailto:general-bounces@openid.net] <B>On Behalf Of
</B>Eddy Nigg (StartCom Ltd.)<BR><B>Sent:</B> 19 July 2007 18:31<BR><B>To:</B>
Brendan Taylor; general@openid.net<BR><B>Subject:</B> Re: [OpenID] Trust +
Security @ OpenID<BR></FONT><BR></DIV>
<DIV></DIV>Hi Brendan,<BR><BR>Brendan Taylor wrote:
<BLOCKQUOTE cite=mid:20070719155944.GA7341@nyarlathotep.ciibis.ca type="cite"><PRE wrap=""><!---->
How will you verify that I'm using the authentication method I claim I am?</PRE></BLOCKQUOTE>Since
no such body yet exists nor any discussion has been taken place at all on how it
should function (foundation, board, staff, volunteers, mission, rules etc), I
guess this is somewhat premature. Obviously those are all decisions which would
have to be defined in a verification policy or guideline. But to answer the
question, one method could be, by simply accessing the system by a
representative or volunteer and requesting an account. It might be that
from time to time such a check will be randomly repeated perhaps?<BR><BR>Ideas
for verification methods of the various bits could be interesting!<BR><BR><BR>
<DIV class=moz-signature>-- <BR>
<DIV><FONT face=Arial size=2>Regards</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Signer: Eddy Nigg,
StartCom Ltd.</FONT></DIV>
<DIV><FONT face=Arial size=2>Jabber: <A
class=moz-txt-link-abbreviated
href="mailto:startcom@startcom.org">startcom@startcom.org</A></FONT></DIV>
<DIV><FONT face=Arial size=2>Phone:
+1.213.341.0390</FONT></DIV></DIV></BODY></HTML>