<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Paul Madsen wrote:
<blockquote cite="mid:47C7F2D0.90107@rogers.com" type="cite"><br>
An X.509 RP has the same desires as an OpenID RP, ie that they can be
confident that the authority's (either CA or OP)
practices/procedures/technologies provide sufficient assurance for the
application being accessed.
<br>
</blockquote>
Exactly! And what do we know about this? What do we know about
"practices/procedures/technologies" in the OpenID world?<br>
<br>
As an OpenID RP I can't make a decision about each and every OP, not to
mention that I've never seen any OP which has policy governing its
operations. Nor have I ever seen a third party attestation confirming
any policy or practice statement either. Hence, in the OpenID world,
any trust (if there is such a thing at all) is based on pure
assumptions....nothing more. Neither does SSL between the OP and RP
solve this problem, it solves a different one (eavesdropping). In
relation to that, I guess any OP not using https shouldn't even be
considered by a RP really.<br>
<br>
In order to solve the problem mentioned above I suggested in the past
to form a federated group of providers which operates according to a
certain standard and verifies them in some form.<br>
<br>
<div class="moz-signature">-- <br>
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, <a href="http://www.startcom.org">StartCom Ltd.</a></td>
</tr>
<tr>
<td>Jabber: </td>
<td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
</tr>
<tr>
<td>Phone: </td>
<td>+1.213.341.0390</td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
</body>
</html>