<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman, new york, times, serif;font-size:12pt">every creation story I've ever seen for OpenID has emphasized blog commenting.<br><br>Wrt HealthVault, Microsoft themselves seem somewhat ambivalent - appearing to place the burden of security review (of both OpenID and OPs) on users<br><br>https://account.healthvault.com/help.aspx?topicid=faq#OpenIDProviders<br><div> <br>paul<br></div>-- <br>Paul Madsen e:paulmadsen @
ntt-at.com<br>NTT p:613-482-0432<br>
m:613-302-1428<br> aim:PaulMdsn5<br> web:connectid.blogspot.com<div><br></div><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><br><div style="font-family: arial,helvetica,sans-serif; font-size: 10pt;">----- Original Message ----<br>From: Peter Williams
<pwilliams@rapattoni.com><br>To: Paul Madsen <paulmadsen@rogers.com>; Peter <peterw@tux.org><br>Cc: "general@openid.net" <general@openid.net><br>Sent: Wednesday, September 17, 2008 3:27:59 PM<br>Subject: RE: [OpenID] OpenID architecture critiques? Re: Too many providers...<br><br>Out of interest, what were the use cases?<br><br>I've forgotten the name of the cissp who wrote the openid book, but I recall his take: cca (cross company authentication) and blog commenting.<br><br>For cca, one has myopenid as the gold standard (in outsourcing the op side of cca) and then there is/was plaxo as the gold standard consumer (since you account link several openids to the localuserid). For blogging, id pose google/blogger as the stand ard reference of using openid to get authication of comments, and yahoo as the classical reference on how to be an op in the world ofmega portals.<br><br>In the web2.0 world, we then had magnolia (notable for
having no localids) and claimid (notable for tagging documents you want to assert authorship of).<br><br>In the (paradoxical) higher assrance space (that liberty folk essentially question if even should really exist) we have microsoft heath vault service maintaing your sensitive health record confentiality, accepting openids from (only) trustbearer (who require strong user auth using dod cac smartcard, usfed piv card, or other javacard/globalplatform smartcard with decent rsa crypto strength (and fips 140-1 and cc assurance, ideally, on the soc in the chip and the id/keymanagement applets/firmware)<br><br>________________________________<br>From: Paul Madsen <<a ymailto="mailto:paulmadsen@rogers.com" href="mailto:paulmadsen@rogers.com">paulmadsen@rogers.com</a>><br>Sent: Wednesday, September 17, 2008 11:42 AM<br>To: Peter <<a ymailto="mailto:peterw@tux.org" href="mailto:peterw@tux.org">peterw@tux.org</a>>; Peter Williams <<a
ymailto="mailto:pwilliams@rapattoni.com" href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>><br>Cc: <a ymailto="mailto:general@openid.net" href="mailto:general@openid.net">general@openid.net</a> <<a ymailto="mailto:general@openid.net" href="mailto:general@openid.net">general@openid.net</a>><br>Subject: Re: [OpenID] OpenID architecture critiques? Re: Too many providers...<br><br>This comparison is not specific to security, but does address it<br><br><a href="http://identitymeme.org/doc/draft-hodges-saml-openid-compare-06.html" target="_blank">http://identitymeme.org/doc/draft-hodges-saml-openid-compare-06.html</a><br><br>paul<br><br>p.s. I am a SAML/Liberty participant. I would not argue that OpenID provides 'no' assurance - rather that it can provide a level of assurance appropriate to the use cases that drove its development. I know of no SAML advocate that would claim more than this correspondence for SAML.<br><br>--<br>Paul
Madsen e:paulmadsen @ ntt-at.com<br>NTT p:613-482-0432<br> m:613-302-1428<br> aim:PaulMdsn5<br>
web:connectid.blogspot.com<br><br><br>----- Original Message ----<br>From: Peter <<a ymailto="mailto:peterw@tux.org" href="mailto:peterw@tux.org">peterw@tux.org</a>><br>To: Peter Williams <<a ymailto="mailto:pwilliams@rapattoni.com" href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>><br>Cc: "<a ymailto="mailto:general@openid.net" href="mailto:general@openid.net">general@openid.net</a>" <<a ymailto="mailto:general@openid.net" href="mailto:general@openid.net">general@openid.net</a>><br>Sent: Wednesday, September 17, 2008 2:19:46 PM<br>Subject: [OpenID] OpenID architecture critiques? Re: Too many providers...<br><br><br>Peter Williams <<a ymailto="mailto:pwilliams@rapattoni.com" href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a><mailto:<a ymailto="mailto:pwilliams@rapattoni.com" href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>>> wrote:<br>> Folks in the liberty alliance message
(openly and convincingly)<br>> that openid cannot ever - inherently - be used for any purpose<br>> requiring "assurance". They point to the undisputed claim that<br>> the open designers knowingly made design tradeoffs in the crypto<br>> handshake and security critical securty service composition rules,<br>> so as to make it all easy to deploy and adopt. Because of this<br>> precept, openid cannot even *be* fixed (since low assurance is the<br>> actual goal).<br><br>As someone who's moving towards integrating OpenID (RP and OP) into his<br>employer's web apps, I would very much appreciate URLs to such critiques.<br><br>From what I see, the most glaring problem is that some "major sites" that<br>act as OPs (Flickr, AOL, etc.) still do not have https:// identity URLs, so<br>RPs cannot leverage cheap, ubiqitous SSL/TLS PKI to help thwart the more<br>obvious DNS and MITM/phishing attacks.<br><br>BTW, whoever maintains <a
href="http://openid.net/get/" target="_blank">http://openid.net/get/</a> should probably change the<br>Yahoo information to "<a href="https://me.yahoo.com/" target="_blank">https://me.yahoo.com/</a>" since that works and, unlike<br><a href="http://openid.yahoo.com/" target="_blank">http://openid.yahoo.com/</a>, uses SSL/TLS.<br><br>Thanks,<br><br>Peter<br><br>_______________________________________________<br>general mailing list<br><a ymailto="mailto:general@openid.net" href="mailto:general@openid.net">general@openid.net</a><mailto:<a ymailto="mailto:general@openid.net" href="mailto:general@openid.net">general@openid.net</a>><br><a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br></div></div></div></body></html>