<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=utf-8">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:1382511837;
mso-list-type:hybrid;
mso-list-template-ids:492851624 -1242551812 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:2;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri","sans-serif";
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=white lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I get to talk to 1.3 million consumers - individual contractors who
each exhibit both business and individual usage profiles and behaviors, while using
4 PCs. 3 of them are unmanaged , poor security, Windows HomeXP edition machines,
often managed by 13 year boys who typically also have a fascination for porn. Virus
problems are rampant, mainly due to the porn angle. It’s pointless trying to educate
13year olds to avoid porn sites.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> 15% of GDP currently directly depends on those Microsoft machines!
Only 25% of them are professionally managed. There is nothing one can do about
that, as the Realtor is an independent contractor. The Realtor will not be
allowed that designation, if one starts to control their workplace.; they become
designated employees, with a cost basis that realty cannot sustain for 1.3
million persons. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>The realtor is also necessarily entirely mobile, expecting to
use whatever PC at café, whatever PC at homeowner’s house, whatever PC as
showing house, whatever PC(s) at home, …or some browser on their internet phone.
<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Realtors do also use well secured, well-managed PC operated by
larger brokers – if they work out of _<i>major</i>_ broker’s office (only).
Most realtors do not. Most work out of jimmy smiths brokerage, with a bestbuy
installed network ….. of window Home XP PCs, running in admin mode. Public PCs
abound; just sit down and use it – no network login required!<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>An interesting group! with interesting security management dynamics.
And this groups represents a challenge - to see how one might apply all this
high-power military crypto stuff we here get to design with… in that unmanaged environment.<o:p></o:p></span></p>
<div style='mso-element:para-border-div;border:none;border-bottom:solid windowtext 1.0pt;
padding:0in 0in 1.0pt 0in'>
<p class=MsoNormal style='border:none;padding:0in'><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p>
</div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Now to the point!<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>To this interesting consumer set, there seems to be two expectations,
operating at different levels, concerning blogging:-<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><span
style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>The desire to control (social networking style) which other OpenIDers
can add comment’s on a blog. By controlling one’s comment-policy, one gets to
achieve some political end – the reason why one bother’s to craft a rant campaign
in the first place:<o:p></o:p></span></p>
<p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in;
mso-list:l0 level2 lfo1'><![if !supportLists]><span style='font-size:11.0pt;
font-family:"Courier New";color:#1F497D'><span style='mso-list:Ignore'>o<span
style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>E.g. Perhaps
some user posts something innocuous but socio-political to his/her blogsite –
and only allows the known-horrid-group of responders to publicly comment ….thus
helping achieving the political goal of polarizing society….so see it Robert Heinlein
was right in his fictional-form arguments on the appropriate place for Fascism in
America, etc.<o:p></o:p></span></p>
<p class=MsoListParagraph style='margin-left:1.0in'><span style='font-size:
11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><span
style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>The desire to exclude anyone from certain OpenID Providers or delegated
OpenID Providers:<o:p></o:p></span></p>
<p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in;
mso-list:l0 level2 lfo1'><![if !supportLists]><span style='font-size:11.0pt;
font-family:"Courier New";color:#1F497D'><span style='mso-list:Ignore'>o<span
style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>E.g.
Anyone using an OpenID even partly associated with MSN is inherently braindead
to start with – as MSN is a Microsoft technology. I deny the class of OpenIDers
using MSN, as a protest in favor of my preference for Apple products. An
opinion. <o:p></o:p></span></p>
<p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in;
mso-list:l0 level2 lfo1'><![if !supportLists]><span style='font-size:11.0pt;
font-family:"Courier New";color:#1F497D'><span style='mso-list:Ignore'>o<span
style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>E.g.
Anyone from a Rapattoni membership system OpenID is inherently old-school
realty, as the future of realty is in web2.0 where tech will allow “lendingtree.com”
OpenIDs to dis-intermediate. Another opinion.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>If RDF files address 1, and HTTP1.1 TLS tunnel upgrade processes
addresses 2, we may have what we need – pulling these two from the technology
shelf.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>What we need now are protocols hooks and UI concepts that
implement these raw technologies in a fashion that consumers can manage – and thus
impose their view of trustworthiness on the world – as they see it.<o:p></o:p></span></p>
<p class=MsoListParagraph><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:
"Tahoma","sans-serif";color:windowtext'> Eddy Nigg (StartCom Ltd.)
[mailto:eddy_nigg@startcom.org] <br>
<b>Sent:</b> Saturday, July 21, 2007 9:46 AM<br>
<b>To:</b> Peter Williams<br>
<b>Cc:</b> Eric Norman; OpenID List; OpenID List<br>
<b>Subject:</b> Re: [OpenID] [security] Trust + Security @ OpenID<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>... Hi Peter, just saw your blog...<br>
... Who installed wordpress (or whatever) for you?<br>
... You did? <br>
... Ahhh...you also installed a few plugins?<br>
... Really?<br>
... You also added the OpenID login option to your blog?<br>
... Very nice...job well done!<br>
<br>
Now tell me why should it be any different for having OpenID login including
some "trust" mechanism? Did you develop wordpress in order to blog on
your web site?<br>
<br>
Peter Williams wrote: <o:p></o:p></p>
<pre>I'm a blogger. I want to allow other commentators to add to my rant, logging in using their openid.I want to decide which openid providers I trust. I have no faith whatsoever in the decisions of google - my blogsite operator - on this score.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>I'm a blogger....not an apache/iis admin skilled in IT.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>How do we design for this? <o:p></o:p></pre><pre><o:p> </o:p></pre><pre>10000 bloggers, 10000 trust models during reliance. 10000 trust stores in iis/apache?<o:p></o:p></pre><pre> <o:p></o:p></pre>
<p class=MsoNormal>huuu? Perhaps 1 trust model would be good already. <br>
<br>
<o:p></o:p></p>
<pre><o:p> </o:p></pre><pre>-----Original Message-----<o:p></o:p></pre><pre>From: "Eddy Nigg (StartCom Ltd.)" <a
href="mailto:eddy_nigg@startcom.org"><eddy_nigg@startcom.org></a><o:p></o:p></pre><pre>To: "Eric Norman" <a
href="mailto:ejnorman@doit.wisc.edu"><ejnorman@doit.wisc.edu></a><o:p></o:p></pre><pre>Cc: "OpenID List" <a
href="mailto:security@openid.net"><security@openid.net></a>; "OpenID List" <a
href="mailto:general@openid.net"><general@openid.net></a><o:p></o:p></pre><pre>Sent: 7/21/07 7:04 AM<o:p></o:p></pre><pre>Subject: Re: [OpenID] [security] Trust + Security @ OpenID<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Apache web servers come many times with a CA bundle installed (mostly <o:p></o:p></pre><pre>Linux distributions). This is usually a dump from the NSS (Mozilla) <o:p></o:p></pre><pre>store. One can add easily more PEM encoded certificate to that bundle - <o:p></o:p></pre><pre>all the ones you want to trust. Implementation can require valid <o:p></o:p></pre><pre>certificates traceable back to a root in the CA bundle.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>I don't know much about IIS (anymore), but I guess the same could be <o:p></o:p></pre><pre>possible there, using the local machine store.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Eric Norman wrote:<o:p></o:p></pre><pre> <o:p></o:p></pre>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre>On Jul 20, 2007, at 8:30 AM, Johnathan Nightingale wrote:<o:p></o:p></pre><pre><o:p> </o:p></pre><pre> <o:p></o:p></pre><pre> <o:p></o:p></pre>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre>As Dmitry observes, the protection it offers is useless if there are <o:p></o:p></pre><pre>http (i.e. non-SSL/TLS) links in the chain.<o:p></o:p></pre><pre> <o:p></o:p></pre><pre> <o:p></o:p></pre></blockquote>
<pre>True enough. But there's more. Many will argue that such<o:p></o:p></pre><pre>protection is also useless unless the correct trust anchors<o:p></o:p></pre><pre>(some folks call them "root" certificates) are deployed at<o:p></o:p></pre><pre>the correct places. This is far easier to say then accomplish.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Eric Norman<o:p></o:p></pre><pre><a
href="http://ejnorman.blogspot.com">http://ejnorman.blogspot.com</a><o:p></o:p></pre><pre><o:p> </o:p></pre><pre>_______________________________________________<o:p></o:p></pre><pre>security mailing list<o:p></o:p></pre><pre><a
href="mailto:security@openid.net">security@openid.net</a><o:p></o:p></pre><pre><a
href="http://openid.net/mailman/listinfo/security">http://openid.net/mailman/listinfo/security</a><o:p></o:p></pre><pre> <o:p></o:p></pre><pre> <o:p></o:p></pre></blockquote>
<pre><o:p> </o:p></pre><pre> <o:p></o:p></pre>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<p class=MsoNormal>-- <o:p></o:p></p>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Regards</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Signer:
Eddy Nigg, StartCom Ltd.</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Jabber:
<a href="mailto:startcom@startcom.org">startcom@startcom.org</a></span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Phone:
+1.213.341.0390</span><o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>