<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Apologies, but I have no idea what you just said, neither syntactically nor semantically ;-)<div><br><div><html>On 2008/03/21, at 20:57, Peter Williams wrote:</html><br class="Apple-interchange-newline"><blockquote type="cite"><div> <div id="idOWAReplyText40819" dir="ltr"> <div dir="ltr"><font face="Arial" color="#000000" size="2">writer to reader crypto policy via public key crypto and cert-based key distribution prevents dis-intermediation by RP proxies, allowing ORCON (originator control) over the controls on the IDP to be actually impacting the RP in question (not some proxy). This has been well known since the early 70s, and was applied through the 80s in secure phone and data networks. The advantage of trusted message switchin , using symmetric crypto, is that it allows for backtracking-based sp-initated flows, with dis-intermediation "options" : plugins, call outs, choices, policy enforcements determined and enforced by the distributed agents along the handoff line (vs in the logic defined by a centralized PKI control system). The war between the approaches of writer-to-reader vs trusted messaging has been going on for 30 years, in military MHS design.</font></div> <div dir="ltr"><font face="Arial" size="2"></font> </div> <div dir="ltr"><font face="Arial" size="2">On a different topic, I note that (https) home_pw.myopenid.com has semantic annotations - using the vcard tags. is it your idea that one or other AX provider would use that page as an authoritative source of attributes, to be sent to RPs?</font></div> <div dir="ltr"><font face="Arial" color="#000000" size="2"></font> </div></div> <div id="idSignature68925"> <div><font face="Arial" color="#000000" size="2"><span style="FONT-SIZE: 7.5pt">_________________________<br></span><b>Peter Williams<br></b><span style="FONT-SIZE: 7.5pt">Chief Information Security Officer<br>Mobile (805) 416-6305</span></font></div></div> <div dir="ltr"><br> <hr tabindex="-1"> <font face="Tahoma" size="2"><b>From:</b> Johannes Ernst<br><b>Sent:</b> Fri 3/21/2008 12:39 PM<br><b>To:</b> Chris Drake<br><b>Cc:</b> openid-general List<br><b>Subject:</b> Re: [OpenID] Thinking About OpenID.com<br></font><br></div> <div><p><font size="2">On 2008/03/20, at 3:34, Chris Drake wrote:<br>> 7) Legal responsibilities - probably not one that Providers are happy<br>> with, but, it's not the RPs fault if a customer account is<br>> plundered because of fault with the login system - freeing up the<br>> RP from the legal liability/responsibility of that issue (eg: the<br>> customer would sue the Provider, not the RP)<br><br>Actually, no. The customer would sue both the RP and the OP, and the <br>RP would sue the OP -- at a minimum ;-) And one of the problems with <br>have with OpenID so far is that legal discovery would be very hard <br>because nobody could prove to anybody what they have done or not.<br><br>(This is one of the reasons why I originally picked GPG as the crypto <br>for LID instead of symmetric keys that we have in OpenID -- if the RP <br>keeps the incoming requests around, the RP can show them later in <br>legal discovery and say "see, nobody could have produced this <br>signature at the encoded time stamp other than somebody in the <br>possession of the private key, and that's not us, so we get to go home <br>free")<br><br>I continue to believe that we'll have to address this problem sooner <br>or later ... even if some people on this list seem to have some kind <br>of public-key phobia ;-)<br><br>Cheers,<br><br><br><br>Johannes.<br><br><br><br>Johannes Ernst<br>NetMesh Inc.<br><br><br></font></p></div></div></blockquote></div><br></div></body></html>