<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><div><div>On 22-May-08, at 10:14 AM, Nate Klingenstein wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "> Dick,<div><div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; "><div>I may have misinterpreted the discussion, but the OP reputation conversation seemed to be around wanting to know if the OP was spammy, is reliable etc. -> I think the email analogy works well there.</div></span></blockquote><div><br></div><div>Even after ORBS, Spamhaus, MAAWG, etc., we're still sitting at 85-90% spam. I'd like to do better than that. Email is a major attack vector too, particularly with spear phishing. I truly hope Cardspace takes off. You wouldn't believe how many people must... click... that... link...</div><div><br></div><div><a href="http://en.wikipedia.org/wiki/E-mail_spam#As_a_percentage_of_the_total_volume_of_e-mail">http://en.wikipedia.org/wiki/E-mail_spam#As_a_percentage_of_the_total_volume_of_e-mail</a></div><div><br></div><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; "><div>As for knowing there was strong authentication used at an OP by a user, I would propose that a claim made be a trusted strong auth vendor be requested by the RP. </div><div>To elaborate, any OP could acquire a strong auth solution from a certified vendor and then offer that service to its users. This separates the function of strong authentication from the function of being an OP.</div></span></blockquote><div><br></div><div>Why would the vendor or the authentication method be the only important variable here? I can issue plenty of certificates or one-time passwords that are perfectly bogus using a variety of products of your choice.</div></div></div></div></blockquote><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div><div><br></div><div>I think the operational practices of the OP are much more important. In talking with various agencies and major RP's, they've expressed a similar opinion.</div><br><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; "><div>Given the goal of creating an open infrastructure, I see OP reputation mechanisms to be problematic if for no other reason then it creates a closed environment of who can be an OP and you get all the issues you have today with certificate authorities.</div></span></blockquote><div><br></div><div>Yes, the UC System is a closed environment. The set of accredited universities is too. They have the ability to confer degrees on individuals and they purchase access to resources for their members. They have special attributes they use that they wouldn't expect anyone else to understand anyway. How do CA's or their issues naturally follow?</div><div><br></div><div>I'd like to be able to select my protocols based on what applications support, not characteristics of a deployment paradigm. I'd also like to be able to construct different policies for different RP's, but use the same identity infrastructure to reduce duplication.</div><div><br></div><div>Do you consider OpenID an inappropriate protocol for these use cases? If so, I've learned something very important, and I'm really glad I asked...</div></div></div></div></blockquote><div><br></div><div>Ok. I think I see the disconnect now. (... but maybe not ;)</div><div><br></div><div>There is OpenID, the set of protocols, and an OpenID, and identifier.</div><div><br></div><div>Is an OpenID identifier appropriate for your use cases? I don't think so.</div><div><br></div><div>BUT, you could use the protocols to request and receive a claim from a trusted source saying something about the user. We (Sxip) demoed some code to do that, but to date, the OpenID community has been focussed on other requirements.</div><div><br></div><div>Perhaps a couple analogies may work. We can use IP to move traffic around between any site, and we use the same transport to create VPNs to move more secure, trusted traffic. We can use OpenID to solve the broader internet identity problems and then move trusted claims using the same protocol for more secure, trusted information flow.</div><div><br></div><br><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div><div><br></div><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; "><div>OpenID reputation mechanisms are a completely different matter, as you are judging how an OpenID has been used.</div></span></blockquote><br></div><div>How is judging the OP completely different from judging the ID? If anything, wouldn't all ID's from an untrustworthy OP be considered unreliable?</div></div></div></blockquote><div><br></div><div>Which OP is managing an Identifier at a particular point in time should be irrelevant to the RP.</div><div><br></div><div>Let me know if this is resonating or not!</div><div><br></div><div>-- Dick</div><div><br></div><div><br></div></div></body></html>