<HTML dir=ltr><HEAD></HEAD>
<BODY>
<DIV id=idOWAReplyText15227 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>Seeing as we are touching on the topics of TTPs,reputation and identity pages at myopenid (and flickr?), we should go a bit further in the discussion.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>Being well trained in classical comsec and infosec security engineering but being dumb in web2.0 security, I really struggle with the terminology and processes used in the lightweight id comunity, including openid and microid. Nonetheless, I suspect its microids that we should focus on, particular as they relate to http:// and xri:// form of OpenIDs. The three topics of TTP, reputation and identity pages seem to converge in microids.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>1. on the basis that I have confirmed by email address to myopenid, the identity page there has a lightweight cliam for the identity page. I have not verified it, but I assume the microid in the metadata asserts that (a) peter's email address is entityA, the openid URL (ie. the identity page) is entityB. I also assume that the service provider is myopenid, who "issues" the microid.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>2. I may login at cliamid.com using myopenid, implicitely account-linking that id cliam to an account at this consumer, and - I'm guessing - implicitely asking claimid to verify my lightweight claims associated with openid-based login sessions. I assume (not that Ive tried it yet) that a public page at cliamid will list myopenid URL (and therefore the associated identity page resource) as something I've have asserted authorship over.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>3. Im GUESSING that cliamid receive my email address from myopenid using openid auth/sreg/AX during session translation (classically, from IDP to SP), and can thus from the 2 data claims (sreg.email and openid.claimedID) supplied over that OpenID Association now compute the microid and verify it agrees with that on the referecned "identity page".</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>4. I assume, claimID then post the link to myopenid identity page on mycliamid portal page, stamping that in turn with an microid "issued by" some TTP.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>5. I guess Im supposed to now use my blog and make reputation cliams about lots of other OPs. Im to use a "TTP" to compute the microid for each such statement, and edit it into the HTML microformat encapulating the statement. The blog's RSS feed will then distributed my reputation statement (and the microids) to the world. </FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>6. Presumably my own blog provider will one day refuse to accept comments posted by openid-ers whose OP are below a reputation-threshold I set - and/or my consumer will search the commentators metadata for the OP of several that satisfies the rule.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>Have I got the "openid" reputation pocess about right, including the role of TTPs, identity pages, microid verifiers, reputation making?</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>We are building a new membership system for a million realtors in the US; it would be nice to understand all this properly, and "get it right", so it promotes the wider openid mission. I feel like Im at about 20% confidence I understand the theory and the process, about now.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>-------</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>Notes on more advanced modeling involving XRI and then trusted resolution mode of XRI2:</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>IN the case the microid has an xri: form URI as the subscriber entity (once regitered with IANA, once OASIS have ratified XRI2.0), can we assume that a TTP-grade issuer might first resolve the xri?... and perhaps use trusted resolution before performing the issuing?</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>Can a TTP-grade microid "issuer" use the result of (specifically) the trusted resolution of an XRI form URI ...as the subscriber's entity URI when computing/verifying the microid?</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV></DIV>
<DIV id=idSignature64346 dir=ltr>
<DIV><FONT face=Arial color=#000000 size=2><SPAN style="FONT-SIZE: 7.5pt">_________________________<BR></SPAN><B>Peter Williams<BR></B></FONT><BR>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Peter Williams<BR><B>Sent:</B> Sat 5/31/2008 9:48 AM<BR><B>To:</B> Babu N<BR><B>Cc:</B> general@openid.net<BR><B>Subject:</B> RE: [OpenID] query regarding OP migration<BR></FONT><BR></DIV></DIV>
<DIV dir=ltr>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV id=idOWAReplyText23184 dir=ltr>
<DIV dir=ltr><BR>Imagine one of our students wants to export their identity. Now their new OP has to convince RP's that they are a <A href="mailto:student@example.edu" target=_blank>student@example.edu</A>. Remember that <A href="mailto:student@example.edu" target=_blank>student@example.edu</A> gets you access to expensive, licensed stuff. That makes it difficult and costly for the RP to trust any OP in the world to state <A href="mailto:student@example.edu" target=_blank>student@example.edu</A>. Do we give the OP a signed blob saying "<A href="mailto:userid@outsourced.org" target=_blank>userid@outsourced.org</A>, expiration, <A href="mailto:student@example.edu" target=_blank>student@example.edu</A>, quoth me"? I don't want to deal with attribute revocation...<BR></DIV></DIV></BLOCKQUOTE>
<DIV class=gmail_quote>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV><BR>Babu> This issue remains even for today's OpenID solution ? How can an OP vouch whether someone is "someone he claims to" (in the case above, whether someone is a student) ? All that OpenID is trying to solve is to centralize one's identity to a single place. As I understand, OpenID doesn't give a trust that this digital ID belongs to so-and-so person with so-and-so attributes. <BR></DIV></BLOCKQUOTE>
<DIV> </DIV>
<DIV>You describing something that essentially is NOT OpenID; you are describing the typical TTP of which HailStorm was the poster child on how to abuse the power of TTPs (through sheer policy incompetence, vs malice, in the Microsoft case). A TTP confirms and vouchs for facts, often under the control of a delegating authority. It confirms. It convinces. It assures. It deegates down. It makes hierachies. It "exports." It provides bases of confidence. Its gets lots of qudos from the world of auditors, insurers, regulators and FERPA/HIPPA types. But, none of these concepts are native plants in the OpenID wilderness, however. OpenID focuses directly on the users, not the middlemen that are selling assurance services.</DIV>
<DIV> </DIV>
<DIV>Compare:-</DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV>The role of a TTP in PKI is to subscribe people to its policy, thereby reassuring relying parties. Third party centric. Always three parties to the "contract".</DIV>
<DIV> </DIV>
<DIV>The role of the OPs in UCI is to project what each user desires, each and every time. User centric. Just two parties in the "contract."</DIV></BLOCKQUOTE>
<DIV> </DIV>
<DIV>In the UCI world, you (yes YOU, powerful, authoritive, self-aware YOU) simply convert each of the 10+ accounts where you already have used a typical registration wizard to create a localized identity into ones that can now be shared. Recall <A href="mailto:you@uni.edu" target=_blank>you@uni.edu</A> probably have 10+ of them already, each provisioned well enough for 1 function already. If you start with 10 accounts... you utimately end up with 10 OPs whose already "well-enough provisioned" attributes can now be shared by you with other sites, as YOU determine they have similar requirements for identity assurance.</DIV>
<DIV> </DIV>
<DIV>Now, put the list of 10 OPs into your personal metadata file on a webserver, and hereonafter cite the URL of the metadata file to the world that is willing to use resolver service to discover your various identity stores (plural). The protocol decides enables one you select which one will be consumed, today, on any given site - probably during initial registration. You (not that TTP) work no harder in maintaining each of those 10 identity stores than... you already don't do today, of course.</DIV>
<DIV> </DIV>
<DIV>If one applies the 20+ year old TTP analysis techniques to OpenID, you limit yourself to a C grade at best. I might award a C+ if one gets creative and makes the argument that root key distribution and discovery in TTP PKI and discovery in trusted name servers in UCI are related. If one argues too far claiming that the semantics of the identiy infrastructures are equivalent, one starts to lose formal points. Yes I'm evaluating you, just as you evaluate me. Thats the nature of the process in the world of OpenID reputation, getting and giving qudos. </DIV>
<DIV> </DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV>Babu> Okay. What are the channels provided in OpenID group to initiate such process ?<BR><BR>Lets take take the issues we are discussing here to a forum where a decision can be taken on whether OpenID goals should be reframed to have:<BR> - OP-independent/global digital identity (to be created by user at central digital identity server)<BR> - RPs to contact central digital identity server to identify the current OP of a digital ID<BR> - data migration across OPs<BR><BR>Do we have a process/channel in OpenID to propose suggestions to existing framework ? Or is it closed only to some internal technical members of OpenID ? </DIV></BLOCKQUOTE>
<DIV>You are using the general list, a discussion forum that is not controlled by IPR rules. It exists so at least 1 populist forum exists that is not work-product focused. It exists to have this type of discussion, to draw you into the inner circle. Join the Foundation and argue your case on the more "organized" lists. Whether or not anyone will accept the rationale to "reframe" the movement is entirely up to you. Dont expect these kinds of discussions tho - focus on editorial changes or introduce new specifications. If the reframing imposes TTP on something trying not to be TTP, I would not be suprised to see someone question the intent of that "reframing". As in all open movements, the process is political at the end of the day; you will have to work up the concensus for change. Pure reason will be as useless in OpenID politics as it is in any other political forum. </DIV>
<DIV> </DIV>
<DIV>A good place to start to see which components of TTP and UCI culture can co-exist is to review SPKI - an earlier UCI effort from Rivest, Lampson et al. Focus first on why it didnt get anywhere, politically; and don't make the same mistakes. Do perhaps steal all the excellent crypto methods!</DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<BLOCKQUOTE class=gmail_quote style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<P> </P></BLOCKQUOTE></BLOCKQUOTE></DIV></DIV></BODY></HTML>