<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=utf-8">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Consolas","serif";
color:black;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=white lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Forming trust relationships (leveraging EV certs) can be
explored at <a href="https://account.live.com/addlink.aspx?mkt=en-us">https://account.live.com/addlink.aspx?mkt=en-us</a>.
Its basically account linking, but between two accounts of the same user. If
you follow the link, note the legal twist that is interesting in and of itself.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Its fun to see the changes in the market in the last year. 1. Google
issuing a SAML IDP toolkit, to talk to Google Apps. 2. Yahoo launching an OP
that imposes a hub-centric federation model. 3. Microsoft letting local
cardspace IDPs bind to LiveIDs, SP-centric. 4. AOL doing its thing (?). 5. Ping
launching “immediate auto-connect” for SAML2, to emulate openid discovery.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>When people as dumb as me can finally get on the bandwagon, you
know a market has reached tipping point. The days of $6000 per connection (per
direction!) annual fees are over, as are the rules that made it take 3 months
to connect two folks. Even when FIRST TIME RP partners do new programming/integration
using open source toolkits, I know after 10 rounds of this that in reality connection
setup is about a week. And, most of that concerns agreeing the UI handoff
between hub/spoke!<o:p></o:p></span></p>
<div style='mso-element:para-border-div;border:none;border-bottom:solid windowtext 1.0pt;
padding:0in 0in 1.0pt 0in'>
<p class=MsoNormal style='border:none;padding:0in'><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p>
</div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>If anyone has an RP site accepting unsolicited openid2 auth,
with no association (but optionally accepts leverages https), Id like to do
some interworking trials. I want to get the IDP-side code down to a page of simple
script, for this minimal profile.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:
"Tahoma","sans-serif";color:windowtext'> general-bounces@openid.net
[mailto:general-bounces@openid.net] <b>On Behalf Of </b>Eddy Nigg (StartCom
Ltd.)<br>
<b>Sent:</b> Friday, February 29, 2008 1:20 PM<br>
<b>To:</b> Martin Paljak<br>
<b>Cc:</b> OpenID General<br>
<b>Subject:</b> Re: [OpenID] openid query<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Martin Paljak wrote: <o:p></o:p></p>
<pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>Do I trust the 50+ 'authorities' pre-selected by somebody else for me <o:p></o:p></pre><pre>in Firefox? I doubt it. Do I trust the OpenID providers I've chosen to <o:p></o:p></pre><pre>use? More likely.<o:p></o:p></pre>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
So this is entirely off-topic (well, maybe it isn't), but it seems that you
have no clue about how CAs are admitted and governed in the Mozilla NSS
store. Not only is the full process of inclusion of a CA performed publicly, a
concrete set of policy [1] (and practices) control inclusions and included CAs.
The CAs in NSS are not just "pre-selected by somebody" but each CA
undergoes an not so easy process, some are rejected entirely or held up for
inclusion until meeting certain requirements. Mozilla does provide a set of CAs
included within their software on behalf of the user, because it's very
inconvenient to read and understand of each CA its policies and attestations in
order to make a decision.<br>
<br>
OpenID providers don't have to undergo <b>any</b> vetting and don't have to
adhere to <b>any</b> outlined requirements and policies whatsoever, so what you
are saying here is absolute rubbish. Joe Candoall may be an OpenID provider but
certainly not a CA included in NSS (or other software I guess). I suggest to be
careful with such baseless and bold comparisons if you don't know about
it...else please explain what is the basis of your trust in OpenID providers
compared to the Mozilla included CAs, because what you are saying right now is
that:<br>
<br>
- I trust a provider which has his site hosted at some shared hosting provider
somewhere<br>
- I trust a provider which hasn't any policies and practices implemented<br>
- I trust a provider which doesn't need to meet any requirements whatsoever<br>
- I trust a provider which hasn't undergone any wetting by a third party<br>
- I trust a provider which which doesn't have to take any responsibility<br>
- I trust a provider which doesn't give me any guaranties nor insight about its
authentication methods<br>
<br>
<br>
- I don't trust a set of CAs which <b>must</b> meet declared requirements set
forth by Mozilla...mmmhhh....<br>
<br>
<br>
[1] <a href="http://www.mozilla.org/projects/security/certs/policy/">http://www.mozilla.org/projects/security/certs/policy/</a><o:p></o:p></p>
<div>
<p class=MsoNormal>-- <o:p></o:p></p>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0>
<tr>
<td colspan=2 style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>Regards <o:p></o:p></p>
</td>
</tr>
<tr>
<td colspan=2 style='padding:0in 0in 0in 0in'>
<p class=MsoNormal> <o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>Signer: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>Eddy Nigg, <a href="http://www.startcom.org">StartCom Ltd.</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>Jabber: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>Blog: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal><a href="http://blog.startcom.org">Join the Revolution!</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>Phone: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>+1.213.341.0390<o:p></o:p></p>
</td>
</tr>
<tr>
<td colspan=2 style='padding:0in 0in 0in 0in'>
<p class=MsoNormal> <o:p></o:p></p>
</td>
</tr>
</table>
<p class=MsoNormal><span style='color:windowtext'><o:p> </o:p></span></p>
</div>
</div>
</div>
</body>
</html>