<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.5pt;
font-family:Consolas;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:Consolas;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoPlainText>Not a lot of early replies, were there? Folks need to understand
that clever representations are now being made in their name as unnamed designers
(that are formally 100% correct, as are a good politicians claims, until
contested by analysis), that essentially message that openid is simply not
adoptable for controlling any substantive business risk. The claims bases its
truthfulless on a reference to lack of security feature and (this is the
killer) its designer intent in that regard.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>I'll write down my beliefs about certain people who we
can count amongst the founding group. Never met personally means, my beliefs
are drawn from general email tone, public or private. Material in [] is neither
fact checked nor a formal quote attribute to the person.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>Johannes (never met personally)-
LID was supposed to do CCA login. [The contribution of LID to openid carried
forward the CCA use case.]<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>Dick (never met, personally) -
its nuts to actually use openid2 for websso/cca. It's not good enough for that [in
design/operational culture].<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>David: openid is mostly about blogging
and perhaps traditional wiki groupware login, as reflected in 10-20 new "openid
adoptions" each day [because someone deploys an "openid-capable"
software suite, like a blog suite] and 15,000 documented adoptions of myopenid's
outsourcing service supportin those blog suite deployments.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>I’ve also done de-briefs of most of the original VeriSign
PIP team, since meeting David in person. This was also quite revealing about
the design and review cycle, relations with the SAML component of VeriSign,
since they spoke quite openly (as none continue to work for VeriSign).<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>I’ve forgotten the person’s name, but someone
from the UK crowd (probably) expressed the basic mission of UCI/OpenID eloquently,
once: use any OP you like without fear, because you the consumer will soon move
away from it when you find that folks’ refusal to accept it makes it essentially
useless. Such indirect, negative feedback by RPs against poor quality OPs by
RPs through inconveniencing the user is apparently the basis of the assurance model,
and will [would] ideally translate into the authenticated comments allowing openid
to serve as a web-wide basis for addressing blogspam, once such reputation
management principles are applied similarly to users.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>If OpenID is to be used in consort with ws-trust
protocols, or OAUTH, the perception (being essentially concertedly messaged by
Liberty Alliance folk) may persist that “mere association with openid”
brings down the consorting protocol to the low-assurance level inherent in very
trademark "OpenID". That is, merge cardspace with openid, and you just
get openid-grade cardspace.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>-----Original Message-----<br>
From: general-bounces@openid.net [mailto:general-bounces@openid.net] On Behalf
Of Peter Williams<br>
Sent: Wednesday, September 17, 2008 2:30 PM<br>
To: Paul Madsen<br>
Cc: general@openid.net<br>
Subject: Re: [OpenID] OpenID architecture critiques? Re: Too many providers...<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Im more interested in the designers view of the intent.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>First, were they designing for cca?<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Dd they expectations that only certain types of cca were
envisaged, to only certain types of app (eg classical wiki behaviour)?<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>________________________________<o:p></o:p></p>
<p class=MsoPlainText>From: Paul Madsen <paulmadsen@rogers.com><o:p></o:p></p>
<p class=MsoPlainText>Sent: Wednesday, September 17, 2008 1:30 PM<o:p></o:p></p>
<p class=MsoPlainText>To: Peter Williams <pwilliams@rapattoni.com><o:p></o:p></p>
<p class=MsoPlainText>Cc: general@openid.net <general@openid.net><o:p></o:p></p>
<p class=MsoPlainText>Subject: Re: [OpenID] OpenID architecture critiques? Re:
Too many providers...<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Peter, I'm not going to make blanket statements about the
applicability of OpenID (or any authentication technology) to particular
classes of use cases. OMB/NIST got there first.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>I will claim as a principle that the level of assurance
engendered by proofing, registration, and authentication, etc should be
commensurate with that provided by the assertion protocol. And that applies to
SAML Web SSO profile, WS-Fed, Infocards, etc<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>regards<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>paul<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>--<o:p></o:p></p>
<p class=MsoPlainText>Paul
Madsen
e:paulmadsen @ ntt-at.com<o:p></o:p></p>
<p class=MsoPlainText>NTT
p:613-482-0432<o:p></o:p></p>
<p class=MsoPlainText>
m:613-302-1428<o:p></o:p></p>
<p class=MsoPlainText>
aim:PaulMdsn5<o:p></o:p></p>
<p class=MsoPlainText>
web:connectid.blogspot.com<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>----- Original Message ----<o:p></o:p></p>
<p class=MsoPlainText>From: Peter Williams <pwilliams@rapattoni.com><o:p></o:p></p>
<p class=MsoPlainText>To: Paul Madsen <paulmadsen@rogers.com>; Peter
<peterw@tux.org><o:p></o:p></p>
<p class=MsoPlainText>Cc: "general@openid.net"
<general@openid.net><o:p></o:p></p>
<p class=MsoPlainText>Sent: Wednesday, September 17, 2008 4:06:15 PM<o:p></o:p></p>
<p class=MsoPlainText>Subject: RE: [OpenID] OpenID architecture critiques? Re:
Too many providers...<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>So...we have the creationists on the list.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>I gave a long list of cca applications. Was cca a use
case that the design addressed?<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>When one uses openid to logon to the concordia mediawiki,
was this use part of the concept?<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Is there anything inappropriate about using openid2 for
mediawiki logon?<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Should openid (of any quality, and user auth strength)
never be used on a wiki doing acess contolled business activities (eg one of
the business groupware wikis provided by the pbwiki firm)?<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>________________________________<o:p></o:p></p>
<p class=MsoPlainText>From: Paul Madsen <paulmadsen@rogers.com<mailto:paulmadsen@rogers.com>><o:p></o:p></p>
<p class=MsoPlainText>Sent: Wednesday, September 17, 2008 12:56 PM<o:p></o:p></p>
<p class=MsoPlainText>To: Peter Williams
<pwilliams@rapattoni.com<mailto:pwilliams@rapattoni.com>>; Peter
<peterw@tux.org<mailto:peterw@tux.org>><o:p></o:p></p>
<p class=MsoPlainText>Cc: general@openid.net<mailto:general@openid.net>
<general@openid.net<mailto:general@openid.net>><o:p></o:p></p>
<p class=MsoPlainText>Subject: Re: [OpenID] OpenID architecture critiques? Re:
Too many providers...<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>every creation story I've ever seen for OpenID has
emphasized blog commenting.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Wrt HealthVault, Microsoft themselves seem somewhat
ambivalent - appearing to place the burden of security review (of both
OpenID and OPs) on users<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>https://account.healthvault.com/help.aspx?topicid=faq#OpenIDProviders<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>paul<o:p></o:p></p>
<p class=MsoPlainText>--<o:p></o:p></p>
<p class=MsoPlainText>Paul
Madsen
e:paulmadsen @ ntt-at.com<o:p></o:p></p>
<p class=MsoPlainText>NTT
p:613-482-0432<o:p></o:p></p>
<p class=MsoPlainText>
m:613-302-1428<o:p></o:p></p>
<p class=MsoPlainText>
aim:PaulMdsn5<o:p></o:p></p>
<p class=MsoPlainText>
web:connectid.blogspot.com<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>----- Original Message ----<o:p></o:p></p>
<p class=MsoPlainText>From: Peter Williams
<pwilliams@rapattoni.com<mailto:pwilliams@rapattoni.com>><o:p></o:p></p>
<p class=MsoPlainText>To: Paul Madsen
<paulmadsen@rogers.com<mailto:paulmadsen@rogers.com>>; Peter
<peterw@tux.org<mailto:peterw@tux.org>><o:p></o:p></p>
<p class=MsoPlainText>Cc:
"general@openid.net<mailto:general@openid.net>"
<general@openid.net<mailto:general@openid.net>><o:p></o:p></p>
<p class=MsoPlainText>Sent: Wednesday, September 17, 2008 3:27:59 PM<o:p></o:p></p>
<p class=MsoPlainText>Subject: RE: [OpenID] OpenID architecture critiques? Re:
Too many providers...<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Out of interest, what were the use cases?<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>I've forgotten the name of the cissp who wrote the openid
book, but I recall his take: cca (cross company authentication) and blog
commenting.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>For cca, one has myopenid as the gold standard (in
outsourcing the op side of cca) and then there is/was plaxo as the gold
standard consumer (since you account link several openids to the localuserid).
For blogging, id pose google/blogger as the stand ard reference of using openid
to get authication of comments, and yahoo as the classical reference on how to
be an op in the world ofmega portals.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>In the web2.0 world, we then had magnolia (notable for
having no localids) and claimid (notable for tagging documents you want to
assert authorship of).<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>In the (paradoxical) higher assrance space (that liberty
folk essentially question if even should really exist) we have microsoft heath
vault service maintaing your sensitive health record confentiality, accepting
openids from (only) trustbearer (who require strong user auth using dod cac
smartcard, usfed piv card, or other javacard/globalplatform smartcard with
decent rsa crypto strength (and fips 140-1 and cc assurance, ideally, on the
soc in the chip and the id/keymanagement applets/firmware)<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>________________________________<o:p></o:p></p>
<p class=MsoPlainText>From: Paul Madsen
<paulmadsen@rogers.com<mailto:paulmadsen@rogers.com><mailto:paulmadsen@rogers.com<mailto:paulmadsen@rogers.com>>><o:p></o:p></p>
<p class=MsoPlainText>Sent: Wednesday, September 17, 2008 11:42 AM<o:p></o:p></p>
<p class=MsoPlainText>To: Peter
<peterw@tux.org<mailto:peterw@tux.org><mailto:peterw@tux.org<mailto:peterw@tux.org>>>;
Peter Williams
<pwilliams@rapattoni.com<mailto:pwilliams@rapattoni.com><mailto:pwilliams@rapattoni.com<mailto:pwilliams@rapattoni.com>>><o:p></o:p></p>
<p class=MsoPlainText>Cc:
general@openid.net<mailto:general@openid.net><mailto:general@openid.net<mailto:general@openid.net>>
<general@openid.net<mailto:general@openid.net><mailto:general@openid.net<mailto:general@openid.net>>><o:p></o:p></p>
<p class=MsoPlainText>Subject: Re: [OpenID] OpenID architecture critiques? Re:
Too many providers...<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>This comparison is not specific to security, but does
address it<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>http://identitymeme.org/doc/draft-hodges-saml-openid-compare-06.html<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>paul<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>p.s. I am a SAML/Liberty participant. I would not argue
that OpenID provides 'no' assurance - rather that it can provide a level of
assurance appropriate to the use cases that drove its development. I know of no
SAML advocate that would claim more than this correspondence for SAML.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>--<o:p></o:p></p>
<p class=MsoPlainText>Paul
Madsen
e:paulmadsen @ ntt-at.com<o:p></o:p></p>
<p class=MsoPlainText>NTT
p:613-482-0432<o:p></o:p></p>
<p class=MsoPlainText>
m:613-302-1428<o:p></o:p></p>
<p class=MsoPlainText>
aim:PaulMdsn5<o:p></o:p></p>
<p class=MsoPlainText>
web:connectid.blogspot.com<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>----- Original Message ----<o:p></o:p></p>
<p class=MsoPlainText>From: Peter
<peterw@tux.org<mailto:peterw@tux.org><mailto:peterw@tux.org<mailto:peterw@tux.org>>><o:p></o:p></p>
<p class=MsoPlainText>To: Peter Williams
<pwilliams@rapattoni.com<mailto:pwilliams@rapattoni.com><mailto:pwilliams@rapattoni.com<mailto:pwilliams@rapattoni.com>>><o:p></o:p></p>
<p class=MsoPlainText>Cc:
"general@openid.net<mailto:general@openid.net><mailto:general@openid.net<mailto:general@openid.net>>"
<general@openid.net<mailto:general@openid.net><mailto:general@openid.net<mailto:general@openid.net>>><o:p></o:p></p>
<p class=MsoPlainText>Sent: Wednesday, September 17, 2008 2:19:46 PM<o:p></o:p></p>
<p class=MsoPlainText>Subject: [OpenID] OpenID architecture critiques? Re: Too
many providers...<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Peter Williams <pwilliams@rapattoni.com<mailto:pwilliams@rapattoni.com><mailto:pwilliams@rapattoni.com<mailto:pwilliams@rapattoni.com>><mailto:pwilliams@rapattoni.com<mailto:pwilliams@rapattoni.com><mailto:pwilliams@rapattoni.com<mailto:pwilliams@rapattoni.com>>>>
wrote:<o:p></o:p></p>
<p class=MsoPlainText>> Folks in the liberty alliance message (openly and
convincingly)<o:p></o:p></p>
<p class=MsoPlainText>> that openid cannot ever - inherently - be used for
any purpose<o:p></o:p></p>
<p class=MsoPlainText>> requiring "assurance". They point to
the undisputed claim that<o:p></o:p></p>
<p class=MsoPlainText>> the open designers knowingly made design tradeoffs
in the crypto<o:p></o:p></p>
<p class=MsoPlainText>> handshake and security critical securty service
composition rules,<o:p></o:p></p>
<p class=MsoPlainText>> so as to make it all easy to deploy and adopt.
Because of this<o:p></o:p></p>
<p class=MsoPlainText>> precept, openid cannot even *be* fixed (since low
assurance is the<o:p></o:p></p>
<p class=MsoPlainText>> actual goal).<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>As someone who's moving towards integrating OpenID (RP
and OP) into his<o:p></o:p></p>
<p class=MsoPlainText>employer's web apps, I would very much appreciate URLs to
such critiques.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>From what I see, the most glaring problem is that some
"major sites" that<o:p></o:p></p>
<p class=MsoPlainText>act as OPs (Flickr, AOL, etc.) still do not have https://
identity URLs, so<o:p></o:p></p>
<p class=MsoPlainText>RPs cannot leverage cheap, ubiqitous SSL/TLS PKI to help
thwart the more<o:p></o:p></p>
<p class=MsoPlainText>obvious DNS and MITM/phishing attacks.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>BTW, whoever maintains http://openid.net/get/ should
probably change the<o:p></o:p></p>
<p class=MsoPlainText>Yahoo information to "https://me.yahoo.com/"
since that works and, unlike<o:p></o:p></p>
<p class=MsoPlainText>http://openid.yahoo.com/, uses SSL/TLS.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Thanks,<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Peter<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>_______________________________________________<o:p></o:p></p>
<p class=MsoPlainText>general mailing list<o:p></o:p></p>
<p class=MsoPlainText>general@openid.net<mailto:general@openid.net><mailto:general@openid.net<mailto:general@openid.net>><mailto:general@openid.net<mailto:general@openid.net><mailto:general@openid.net<mailto:general@openid.net>>><o:p></o:p></p>
<p class=MsoPlainText>http://openid.net/mailman/listinfo/general<o:p></o:p></p>
<p class=MsoPlainText>_______________________________________________<o:p></o:p></p>
<p class=MsoPlainText>general mailing list<o:p></o:p></p>
<p class=MsoPlainText>general@openid.net<o:p></o:p></p>
<p class=MsoPlainText>http://openid.net/mailman/listinfo/general<o:p></o:p></p>
</div>
</body>
</html>