<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
+1<br>
<br>
<div class="moz-signature">-- <br>
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, <a href="http://www.startcom.org">StartCom Ltd.</a></td>
</tr>
<tr>
<td>Jabber: </td>
<td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
</tr>
<tr>
<td>Phone: </td>
<td>+1.213.341.0390</td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
<br>
<br>
Peter Williams:
<blockquote cite="mid:F2E47838-88A8-4FEF-8BA5-F8EFC95ECA34@mimectl"
type="cite">
<div dir="ltr"><font color="#000000" face="Arial" size="2">Point 6 is
very subjective, judged using the following (subjective) criteria.</font></div>
<blockquote dir="ltr" style="margin-right: 0px;">
<div dir="ltr"><font color="#000000" face="Arial" size="2">10+
years of evidence has shown that consumers are unwilling or unable to
handle self-signed cert root key download events, being unable or
unwilling to evaluate the trust providers who assurance underpin the
delivery of SSL security services. This is likely to extend to the
world of https openids, a type of openid that our trade association is
apparently promoting as a "best practice" (a material, legal event,
note). Its not clear that consumer will be suddenly be able to now
determine which providers are capable of providing anti-phishing
protection.</font></div>
</blockquote>
<div dir="ltr"><font face="Arial" size="2">Point 7 is perhaps ill
advised as a basic rationale for openid adoption by RPs.</font></div>
<blockquote dir="ltr" style="margin-right: 0px;">
<div dir="ltr"><font face="Arial" size="2">Relying parties are
inevitably liable for the circumstances of their act of reliance on any
(security) assertion made by a third party, says this non-lawyer.
Having admitted an openid to be used to impersonate a subscribed user,
and upon relying upon a UCI-grade OP's assertion, the RP will surely
continue to have the full panoply of legal obligations.<br>
<br>
Assume for example, that the RP (e.g. "plaxo") is operating in the
state of California. Assume also that the RP has account linked one or
more of a CONSUMER's openids to a single "plaxo" for-fee account (that
is subscribed to be in good standing), where we note that "plaxo"
is in the normal, _dominant_ business-to-consumer legal relationship
with the subscriber, as assessed under CA criteria. Assume now that the
OP involved in the account linking is just 1 of several UCI-grade OPs
bound by "plaxo" - upon one or more constructive acts of reliance
involving cert messages and openid auth messages - to this and other
subscriber accounts. Assume furthermore that "plaxo" is relying upon
one or more OPs with whom it has no agreements governing the act of
reliance. Lets assert now that it is now common public knowledge that a
given OP has engaged in an improper act, leading to the situation that
there is a "high level of risk" that Personal data of a "plaxo"
subscriber has been compromised. We could ask Plaxo's general counsel
to volunteer legal advice on a hypothetical: would s/he now feel
legally obligated under CA law to issue n written letters by US post to
all "affected" _subscribers_, warning them of the generalized exposure?
If so, how would one enumerate those who are "affected" in the case of
UCI-grade openid?</font></div>
<div dir="ltr"> </div>
</blockquote>
<div dir="ltr"> </div>
<div dir="ltr"> </div>
<div dir="ltr">
<hr tabindex="-1"></div>
<div dir="ltr"><font face="Tahoma" size="2"><b>From:</b> Chris Drake<br>
<b>Sent:</b> Thu 3/20/2008 3:34 AM<br>
<b>To:</b> Brendon J. Wilson<br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:general@openid.net">general@openid.net</a><br>
<b>Subject:</b> Re: [OpenID] Thinking About OpenID.com<br>
</font><br>
</div>
<div>
<pre style="">Hi Brendon,
Some more suggestions...
6) Security - when folks have their fave provider, they're less
vulnerable to phishing and password hijacking in other forms, not
to mention, the providers job is to improve in this area too,
freeing up the RP to ignore this stuff.
7) Legal responsibilities - probably not one that Providers are happy
with, but, it's not the RPs fault if a customer account is
plundered because of fault with the login system - freeing up the
RP from the legal liability/responsibility of that issue (eg: the
customer would sue the Provider, not the RP)
Liability is probably different depending on the TOS involved, and
the country of the customer and provider (and maybe RP) - some
jurisdictions have laws that forbid the disclaiming of various kinds
of liabilities.
Kind Regards,
Chris Drake
Thursday, March 20, 2008, 2:53:18 AM, you wrote:
BJW> +1 Snorri's comment.
BJW> I've been looking at OpenID for a client, and as I survey the OpenID
BJW> landscape it's become apparent very quickly that there's lots of
BJW> identity providers, but not a lot of relying parties. Any of the big
BJW> players seem to be staying out of that space, with the exception of
BJW> the blog platforms and open source CMS systems. Examples: AOL - only
BJW> Propeller seems to have OpenID as a login option. Yahoo! - haven't
BJW> found an OpenID login yet. All of the focus right now seems to be on
BJW> getting people to get an OpenID.
BJW> I think any discussion of how to evangelize OpenID to the general
BJW> public also requires the foundation to clearly articulate the value of
BJW> being a relying party, otherwise we risk stalled growth when users
BJW> finally decide to get an OpenID, but have nowhere to use it. JanRain
BJW> claims 8,000 relying parties, but I've seen little justification for
BJW> that number; OpenIDDirectory.com lists about 530 or so OpenID-related
BJW> sites, and 60 or so of them are identity providers. Demonstrating
BJW> value to potential relaying parties also requires showing, in no
BJW> uncertain terms, just how many people already use it.
BJW> I'd like to propose the following strawman benefits of being a relying
BJW> party for the group to eviscerate (warning: businesspeak ahead):
BJW> 1) Expedited customer acquisition: OpenID allows user to quickly and
BJW> easily complete the account creation process by eliminating entry of
BJW> commonly requested fields (email address, sex, birthdate), thus
BJW> reducing the friction to adopt a new service.
BJW> 2) Reduced user account management costs: The primary cost for most IT
BJW> organizations is resetting forgotten authentication credentials. By
BJW> reducing the number of credentials, a user is less likely to forget
BJW> their credentials. By outsourcing the authentication process to a
BJW> third-party, the relying party can avoid those costs entirely.
BJW> 3) "Thought leadership": There is an inherent marketing value for an
BJW> organization to associate itself activities that promote it as a
BJW> thought leader. It provides an organization with the means to
BJW> distinguish itself from its competitors. This is your chance to
BJW> outpace your competitors.
BJW> 4) Your competitors are already doing it: Whoops! So you missed out on
BJW> number 4, so you have to do it, otherwise you're falling behind the
BJW> times. Ketchup!
BJW> 5) Simplified user experience: Logical follow on from 1 & 2. However,
BJW> it's at the end of the list because that's not the business priority.
BJW> The business priority is the benefit that results from a simplified
BJW> user experience, not the simplified user experience itself.
BJW> Thoughts?
BJW> Brendon
BJW> ---
BJW> Brendon J. Wilson
BJW> <a class="moz-txt-link-abbreviated" href="http://www.brendonwilson.com">www.brendonwilson.com</a>
BJW> _______________________________________________
BJW> general mailing list
BJW> <a class="moz-txt-link-abbreviated" href="mailto:general@openid.net">general@openid.net</a>
BJW> <a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a>
_______________________________________________
general mailing list
<a class="moz-txt-link-abbreviated" href="mailto:general@openid.net">general@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a>
</pre>
</div>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
general mailing list
<a class="moz-txt-link-abbreviated" href="mailto:general@openid.net">general@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a>
</pre>
</blockquote>
<br>
</body>
</html>