<HTML dir=ltr><HEAD></HEAD>
<BODY>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV id=idOWAReplyText23184 dir=ltr>
<DIV dir=ltr><BR>Imagine one of our students wants to export their identity. Now their new OP has to convince RP's that they are a <A href="mailto:student@example.edu" target=_blank>student@example.edu</A>. Remember that <A href="mailto:student@example.edu" target=_blank>student@example.edu</A> gets you access to expensive, licensed stuff. That makes it difficult and costly for the RP to trust any OP in the world to state <A href="mailto:student@example.edu" target=_blank>student@example.edu</A>. Do we give the OP a signed blob saying "<A href="mailto:userid@outsourced.org" target=_blank>userid@outsourced.org</A>, expiration, <A href="mailto:student@example.edu" target=_blank>student@example.edu</A>, quoth me"? I don't want to deal with attribute revocation...<BR></DIV></DIV></BLOCKQUOTE>
<DIV class=gmail_quote>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV><BR>Babu> This issue remains even for today's OpenID solution ? How can an OP vouch whether someone is "someone he claims to" (in the case above, whether someone is a student) ? All that OpenID is trying to solve is to centralize one's identity to a single place. As I understand, OpenID doesn't give a trust that this digital ID belongs to so-and-so person with so-and-so attributes. <BR></DIV></BLOCKQUOTE>
<DIV> </DIV>
<DIV>You describing something that essentially is NOT OpenID; you are describing the typical TTP of which HailStorm was the poster child on how to abuse the power of TTPs (through sheer policy incompetence, vs malice, in the Microsoft case). A TTP confirms and vouchs for facts, often under the control of a delegating authority. It confirms. It convinces. It assures. It deegates down. It makes hierachies. It "exports." It provides bases of confidence. Its gets lots of qudos from the world of auditors, insurers, regulators and FERPA/HIPPA types. But, none of these concepts are native plants in the OpenID wilderness, however. OpenID focuses directly on the users, not the middlemen that are selling assurance services.</DIV>
<DIV> </DIV>
<DIV>Compare:-</DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV>The role of a TTP in PKI is to subscribe people to its policy, thereby reassuring relying parties. Third party centric. Always three parties to the "contract".</DIV>
<DIV> </DIV>
<DIV>The role of the OPs in UCI is to project what each user desires, each and every time. User centric. Just two parties in the "contract."</DIV></BLOCKQUOTE>
<DIV> </DIV>
<DIV>In the UCI world, you (yes YOU, powerful, authoritive, self-aware YOU) simply convert each of the 10+ accounts where you already have used a typical registration wizard to create a localized identity into ones that can now be shared. Recall <A href="mailto:you@uni.edu" target=_blank>you@uni.edu</A> probably have 10+ of them already, each provisioned well enough for 1 function already. If you start with 10 accounts... you utimately end up with 10 OPs whose already "well-enough provisioned" attributes can now be shared by you with other sites, as YOU determine they have similar requirements for identity assurance.</DIV>
<DIV> </DIV>
<DIV>Now, put the list of 10 OPs into your personal metadata file on a webserver, and hereonafter cite the URL of the metadata file to the world that is willing to use resolver service to discover your various identity stores (plural). The protocol decides enables one you select which one will be consumed, today, on any given site - probably during initial registration. You (not that TTP) work no harder in maintaining each of those 10 identity stores than... you already don't do today, of course.</DIV>
<DIV> </DIV>
<DIV>If one applies the 20+ year old TTP analysis techniques to OpenID, you limit yourself to a C grade at best. I might award a C+ if one gets creative and makes the argument that root key distribution and discovery in TTP PKI and discovery in trusted name servers in UCI are related. If one argues too far claiming that the semantics of the identiy infrastructures are equivalent, one starts to lose formal points. Yes I'm evaluating you, just as you evaluate me. Thats the nature of the process in the world of OpenID reputation, getting and giving qudos. </DIV>
<DIV> </DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV>Babu> Okay. What are the channels provided in OpenID group to initiate such process ?<BR><BR>Lets take take the issues we are discussing here to a forum where a decision can be taken on whether OpenID goals should be reframed to have:<BR> - OP-independent/global digital identity (to be created by user at central digital identity server)<BR> - RPs to contact central digital identity server to identify the current OP of a digital ID<BR> - data migration across OPs<BR><BR>Do we have a process/channel in OpenID to propose suggestions to existing framework ? Or is it closed only to some internal technical members of OpenID ? </DIV></BLOCKQUOTE>
<DIV>You are using the general list, a discussion forum that is not controlled by IPR rules. It exists so at least 1 populist forum exists that is not work-product focused. It exists to have this type of discussion, to draw you into the inner circle. Join the Foundation and argue your case on the more "organized" lists. Whether or not anyone will accept the rationale to "reframe" the movement is entirely up to you. Dont expect these kinds of discussions tho - focus on editorial changes or introduce new specifications. If the reframing imposes TTP on something trying not to be TTP, I would not be suprised to see someone question the intent of that "reframing". As in all open movements, the process is political at the end of the day; you will have to work up the concensus for change. Pure reason will be as useless in OpenID politics as it is in any other political forum. </DIV>
<DIV> </DIV>
<DIV>A good place to start to see which components of TTP and UCI culture can co-exist is to review SPKI - an earlier UCI effort from Rivest, Lampson et al. Focus first on why it didnt get anywhere, politically; and don't make the same mistakes. Do perhaps steal all the excellent crypto methods!</DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<BLOCKQUOTE class=gmail_quote style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<P> </P></BLOCKQUOTE></BLOCKQUOTE></DIV></BODY></HTML>