<HTML dir=ltr><HEAD></HEAD>
<BODY>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>Point 6 is very subjective, judged using the following (subjective) criteria.</FONT></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>10+ years of evidence has shown that consumers are unwilling or unable to handle self-signed cert root key download events, being unable or unwilling to evaluate the trust providers who assurance underpin the delivery of SSL security services. This is likely to extend to the world of https openids, a type of openid that our trade association is apparently promoting as a "best practice" (a material, legal event, note). Its not clear that consumer will be suddenly be able to now determine which providers are capable of providing anti-phishing protection.</FONT></DIV></BLOCKQUOTE>
<DIV dir=ltr><FONT face=Arial size=2>Point 7 is perhaps ill advised as a basic rationale for openid adoption by RPs.</FONT></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV dir=ltr><FONT face=Arial size=2>Relying parties are inevitably liable for the circumstances of their act of reliance on any (security) assertion made by a third party, says this non-lawyer. Having admitted an openid to be used to impersonate a subscribed user, and upon relying upon a UCI-grade OP's assertion, the RP will surely continue to have the full panoply of legal obligations.<BR><BR>Assume for example, that the RP (e.g. "plaxo") is operating in the state of California. Assume also that the RP has account linked one or more of a CONSUMER's openids to a single "plaxo" for-fee account (that is subscribed to be in good standing), where we note that "plaxo" is in the normal, _dominant_ business-to-consumer legal relationship with the subscriber, as assessed under CA criteria. Assume now that the OP involved in the account linking is just 1 of several UCI-grade OPs bound by "plaxo" - upon one or more constructive acts of reliance involving cert messages and openid auth messages - to this and other subscriber accounts. Assume furthermore that "plaxo" is relying upon one or more OPs with whom it has no agreements governing the act of reliance. Lets assert now that it is now common public knowledge that a given OP has engaged in an improper act, leading to the situation that there is a "high level of risk" that Personal data of a "plaxo" subscriber has been compromised. We could ask Plaxo's general counsel to volunteer legal advice on a hypothetical: would s/he now feel legally obligated under CA law to issue n written letters by US post to all "affected" _subscribers_, warning them of the generalized exposure? If so, how would one enumerate those who are "affected" in the case of UCI-grade openid?</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV></BLOCKQUOTE>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr>
<HR tabIndex=-1>
</DIV>
<DIV dir=ltr><FONT face=Tahoma size=2><B>From:</B> Chris Drake<BR><B>Sent:</B> Thu 3/20/2008 3:34 AM<BR><B>To:</B> Brendon J. Wilson<BR><B>Cc:</B> general@openid.net<BR><B>Subject:</B> Re: [OpenID] Thinking About OpenID.com<BR></FONT><BR></DIV>
<DIV><PRE style="WORD-WRAP: break-word">Hi Brendon,
Some more suggestions...
6) Security - when folks have their fave provider, they're less
vulnerable to phishing and password hijacking in other forms, not
to mention, the providers job is to improve in this area too,
freeing up the RP to ignore this stuff.
7) Legal responsibilities - probably not one that Providers are happy
with, but, it's not the RPs fault if a customer account is
plundered because of fault with the login system - freeing up the
RP from the legal liability/responsibility of that issue (eg: the
customer would sue the Provider, not the RP)
Liability is probably different depending on the TOS involved, and
the country of the customer and provider (and maybe RP) - some
jurisdictions have laws that forbid the disclaiming of various kinds
of liabilities.
Kind Regards,
Chris Drake
Thursday, March 20, 2008, 2:53:18 AM, you wrote:
BJW> +1 Snorri's comment.
BJW> I've been looking at OpenID for a client, and as I survey the OpenID
BJW> landscape it's become apparent very quickly that there's lots of
BJW> identity providers, but not a lot of relying parties. Any of the big
BJW> players seem to be staying out of that space, with the exception of
BJW> the blog platforms and open source CMS systems. Examples: AOL - only
BJW> Propeller seems to have OpenID as a login option. Yahoo! - haven't
BJW> found an OpenID login yet. All of the focus right now seems to be on
BJW> getting people to get an OpenID.
BJW> I think any discussion of how to evangelize OpenID to the general
BJW> public also requires the foundation to clearly articulate the value of
BJW> being a relying party, otherwise we risk stalled growth when users
BJW> finally decide to get an OpenID, but have nowhere to use it. JanRain
BJW> claims 8,000 relying parties, but I've seen little justification for
BJW> that number; OpenIDDirectory.com lists about 530 or so OpenID-related
BJW> sites, and 60 or so of them are identity providers. Demonstrating
BJW> value to potential relaying parties also requires showing, in no
BJW> uncertain terms, just how many people already use it.
BJW> I'd like to propose the following strawman benefits of being a relying
BJW> party for the group to eviscerate (warning: businesspeak ahead):
BJW> 1) Expedited customer acquisition: OpenID allows user to quickly and
BJW> easily complete the account creation process by eliminating entry of
BJW> commonly requested fields (email address, sex, birthdate), thus
BJW> reducing the friction to adopt a new service.
BJW> 2) Reduced user account management costs: The primary cost for most IT
BJW> organizations is resetting forgotten authentication credentials. By
BJW> reducing the number of credentials, a user is less likely to forget
BJW> their credentials. By outsourcing the authentication process to a
BJW> third-party, the relying party can avoid those costs entirely.
BJW> 3) "Thought leadership": There is an inherent marketing value for an
BJW> organization to associate itself activities that promote it as a
BJW> thought leader. It provides an organization with the means to
BJW> distinguish itself from its competitors. This is your chance to
BJW> outpace your competitors.
BJW> 4) Your competitors are already doing it: Whoops! So you missed out on
BJW> number 4, so you have to do it, otherwise you're falling behind the
BJW> times. Ketchup!
BJW> 5) Simplified user experience: Logical follow on from 1 & 2. However,
BJW> it's at the end of the list because that's not the business priority.
BJW> The business priority is the benefit that results from a simplified
BJW> user experience, not the simplified user experience itself.
BJW> Thoughts?
BJW> Brendon
BJW> ---
BJW> Brendon J. Wilson
BJW> www.brendonwilson.com
BJW> _______________________________________________
BJW> general mailing list
BJW> general@openid.net
BJW> http://openid.net/mailman/listinfo/general
_______________________________________________
general mailing list
general@openid.net
http://openid.net/mailman/listinfo/general
</PRE></DIV></BODY></HTML>