<HTML dir=ltr><HEAD></HEAD>
<BODY>
<DIV id=idOWAReplyText70790 dir=ltr>
<DIV dir=ltr> </DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr>I spent some time last night playing with the NetMesh LID service, trying to see how its use of public key controls supplements/augments/replaces control protocols and message flows used in OpenID2. What UniNett did in Mar07 (<A href="http://rnd.feide.no/node/36" target=_blank>http://rnd.feide.no/node/36</A>) for SAML1/SAML2/Shib/OpenID by making a multi-protocol PHP library, NetMesh seem to have done for OpenID/LID. </DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr>As LID went into the original consensus in defining OpenID (whose designers reportedly decided against any use of public key control systems), one might consider the LID topic closed. </DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr>At the same time, as OpenID2 goes beyond application to "authenticated blog comments" and now patently addresses general websso to corporate subsciption service like plaxo, pbwiki and Google Apps (via UniNett-style gateways), perhaps its time for a WG to revisit the LID (and other's) application of public key controls systems. Presumably, the goal would to ensure that the OP __controls__ the "intended recipient" of its assertions, addressing RP-proxying using classical "originator control (ORCON)" security policy enforcement techniques.</DIV></DIV>
<DIV dir=ltr><BR>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Nat Sakimura<BR><B>Sent:</B> Sun 3/23/2008 4:38 AM<BR><B>To:</B> Johannes Ernst<BR><B>Cc:</B> openid-general List<BR><B>Subject:</B> Re: [OpenID] Thinking About OpenID.com<BR></FONT><BR></DIV>
<DIV>Hi Johaness, <BR><BR>Actually, that is part of the reason why we are bringing the notion of Public Key back into the place in our proposal of reputation service and trusted data exchange. For a serious business apps, I suppose we need this kind of structure. <BR><BR>Let us disccuss them in the forthcoming WGs :-)<BR><BR>=nat<BR><BR>
<DIV><SPAN class=gmail_quote>2008/3/22, Johannes Ernst <<A href="mailto:jernst+openid.net@netmesh.us" target=_blank>jernst+openid.net@netmesh.us</A>>:</SPAN>
<BLOCKQUOTE class=gmail_quote style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">On 2008/03/20, at 3:34, Chris Drake wrote:<BR>> 7) Legal responsibilities - probably not one that Providers are happy<BR>> with, but, it's not the RPs fault if a customer account is<BR>> plundered because of fault with the login system - freeing up the<BR>> RP from the legal liability/responsibility of that issue (eg: the<BR>> customer would sue the Provider, not the RP)<BR><BR><BR>Actually, no. The customer would sue both the RP and the OP, and the<BR>RP would sue the OP -- at a minimum ;-) And one of the problems with<BR>have with OpenID so far is that legal discovery would be very hard<BR>because nobody could prove to anybody what they have done or not.<BR><BR>(This is one of the reasons why I originally picked GPG as the crypto<BR>for LID instead of symmetric keys that we have in OpenID -- if the RP<BR>keeps the incoming requests around, the RP can show them later in<BR>legal discovery and say "see, nobody could have produced this<BR>signature at the encoded time stamp other than somebody in the<BR>possession of the private key, and that's not us, so we get to go home<BR>free")<BR><BR>I continue to believe that we'll have to address this problem sooner<BR>or later ... even if some people on this list seem to have some kind<BR>of public-key phobia ;-)<BR><BR>Cheers,<BR><BR><BR><BR>Johannes.<BR><BR><BR><BR><BR>Johannes Ernst<BR>NetMesh Inc.<BR><BR><BR><BR> <BR> <A href="http://netmesh.info/jernst" target=_blank>http://netmesh.info/jernst</A><BR><BR><BR>_______________________________________________<BR>general mailing list<BR><A href="mailto:general@openid.net" target=_blank>general@openid.net</A><BR><A href="http://openid.net/mailman/listinfo/general" target=_blank>http://openid.net/mailman/listinfo/general</A><BR><BR><BR></BLOCKQUOTE></DIV><BR><BR clear=all><BR>-- <BR>Nat Sakimura (=nat)<BR><A href="http://www.sakimura.org/en/" target=_blank>http://www.sakimura.org/en/</A> </DIV></BODY></HTML>