<div dir="ltr">+1<div><br></div><div>From what I can tell from my experience with 50+ possible RPs, assurance and security is their biggest concern and barrier technically. (Of course, ROI is another, but this is more a business side.) </div>
<div><br></div><div>We can actually do a profiling of OpenID so that it will be more secure, and in some case, create an extension to bolster it up. IMHO, this is what we need right now. </div><div><br></div><div>=nat<br>
<br><div class="gmail_quote">On Fri, Sep 19, 2008 at 3:23 AM, Tatsuki Sakushima <span dir="ltr"><<a href="mailto:tatsuki@nri.com">tatsuki@nri.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
My sympathy here. Limiting potential is bad idea. The community should<br>
work on how to make this happen, not limiting use cases. We need more RP<br>
adoption anyway. Many businesses out there can not be ignored. We should<br>
think even harder how we have them feel comfortable to use OpenID as a<br>
SSO mean.<br>
<br>
Tatsuki Sakushima<br>
NRI Pacific - Nomura Research Institute America, Inc.<br>
<br>
Peter Williams ????????:<br>
<div><div></div><div class="Wj3C7c">> Not a lot of early replies, were there? Folks need to understand that<br>
> clever representations are now being made in their name as unnamed<br>
> designers (that are formally 100% correct, as are a good politicians<br>
> claims, until contested by analysis), that essentially message that<br>
> openid is simply not adoptable for controlling any substantive business<br>
> risk. The claims bases its truthfulless on a reference to lack of<br>
> security feature and (this is the killer) its designer intent in that<br>
> regard.<br>
><br>
><br>
><br>
> I'll write down my beliefs about certain people who we can count amongst<br>
> the founding group. Never met personally means, my beliefs are drawn<br>
> from general email tone, public or private. Material in [] is neither<br>
> fact checked nor a formal quote attribute to the person.<br>
><br>
><br>
><br>
> Johannes (never met personally)- LID was supposed to do CCA login. [The<br>
> contribution of LID to openid carried forward the CCA use case.]<br>
><br>
><br>
><br>
> Dick (never met, personally) - its nuts to actually use openid2 for<br>
> websso/cca. It's not good enough for that [in design/operational culture].<br>
><br>
><br>
><br>
> David: openid is mostly about blogging and perhaps traditional wiki<br>
> groupware login, as reflected in 10-20 new "openid adoptions" each day<br>
> [because someone deploys an "openid-capable" software suite, like a blog<br>
> suite] and 15,000 documented adoptions of myopenid's outsourcing service<br>
> supportin those blog suite deployments.<br>
><br>
><br>
><br>
> I've also done de-briefs of most of the original VeriSign PIP team,<br>
> since meeting David in person. This was also quite revealing about the<br>
> design and review cycle, relations with the SAML component of VeriSign,<br>
> since they spoke quite openly (as none continue to work for VeriSign).<br>
><br>
><br>
><br>
> I've forgotten the person's name, but someone from the UK crowd<br>
> (probably) expressed the basic mission of UCI/OpenID eloquently, once:<br>
> use any OP you like without fear, because you the consumer will soon<br>
> move away from it when you find that folks' refusal to accept it makes<br>
> it essentially useless. Such indirect, negative feedback by RPs against<br>
> poor quality OPs by RPs through inconveniencing the user is apparently<br>
> the basis of the assurance model, and will [would] ideally translate<br>
> into the authenticated comments allowing openid to serve as a web-wide<br>
> basis for addressing blogspam, once such reputation management<br>
> principles are applied similarly to users.<br>
><br>
><br>
><br>
> If OpenID is to be used in consort with ws-trust protocols, or OAUTH,<br>
> the perception (being essentially concertedly messaged by Liberty<br>
> Alliance folk) may persist that "mere association with openid" brings<br>
> down the consorting protocol to the low-assurance level inherent in very<br>
> trademark "OpenID". That is, merge cardspace with openid, and you just<br>
> get openid-grade cardspace.<br>
><br>
><br>
><br>
><br>
><br>
> -----Original Message-----<br>
> From: <a href="mailto:general-bounces@openid.net">general-bounces@openid.net</a> [mailto:<a href="mailto:general-bounces@openid.net">general-bounces@openid.net</a>] On<br>
> Behalf Of Peter Williams<br>
> Sent: Wednesday, September 17, 2008 2:30 PM<br>
> To: Paul Madsen<br>
> Cc: <a href="mailto:general@openid.net">general@openid.net</a><br>
> Subject: Re: [OpenID] OpenID architecture critiques? Re: Too many<br>
> providers...<br>
><br>
><br>
><br>
> Im more interested in the designers view of the intent.<br>
><br>
><br>
><br>
> First, were they designing for cca?<br>
><br>
><br>
><br>
> Dd they expectations that only certain types of cca were envisaged, to<br>
> only certain types of app (eg classical wiki behaviour)?<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> ________________________________<br>
><br>
> From: Paul Madsen <<a href="mailto:paulmadsen@rogers.com">paulmadsen@rogers.com</a>><br>
><br>
> Sent: Wednesday, September 17, 2008 1:30 PM<br>
><br>
> To: Peter Williams <<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>><br>
><br>
> Cc: <a href="mailto:general@openid.net">general@openid.net</a> <<a href="mailto:general@openid.net">general@openid.net</a>><br>
><br>
> Subject: Re: [OpenID] OpenID architecture critiques? Re: Too many<br>
> providers...<br>
><br>
><br>
><br>
> Peter, I'm not going to make blanket statements about the applicability<br>
> of OpenID (or any authentication technology) to particular classes of<br>
> use cases. OMB/NIST got there first.<br>
><br>
><br>
><br>
> I will claim as a principle that the level of assurance engendered by<br>
> proofing, registration, and authentication, etc should be commensurate<br>
> with that provided by the assertion protocol. And that applies to SAML<br>
> Web SSO profile, WS-Fed, Infocards, etc<br>
><br>
><br>
><br>
> regards<br>
><br>
><br>
><br>
> paul<br>
><br>
><br>
><br>
> --<br>
><br>
> Paul Madsen e:paulmadsen @ <a href="http://ntt-at.com" target="_blank">ntt-at.com</a><br>
><br>
> NTT p:613-482-0432<br>
><br>
> m:613-302-1428<br>
><br>
> aim:PaulMdsn5<br>
><br>
><br>
> web:<a href="http://connectid.blogspot.com" target="_blank">connectid.blogspot.com</a><br>
><br>
><br>
><br>
><br>
><br>
> ----- Original Message ----<br>
><br>
> From: Peter Williams <<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>><br>
><br>
> To: Paul Madsen <<a href="mailto:paulmadsen@rogers.com">paulmadsen@rogers.com</a>>; Peter <<a href="mailto:peterw@tux.org">peterw@tux.org</a>><br>
><br>
> Cc: "<a href="mailto:general@openid.net">general@openid.net</a>" <<a href="mailto:general@openid.net">general@openid.net</a>><br>
><br>
> Sent: Wednesday, September 17, 2008 4:06:15 PM<br>
><br>
> Subject: RE: [OpenID] OpenID architecture critiques? Re: Too many<br>
> providers...<br>
><br>
><br>
><br>
> So...we have the creationists on the list.<br>
><br>
><br>
><br>
> I gave a long list of cca applications. Was cca a use case that the<br>
> design addressed?<br>
><br>
><br>
><br>
> When one uses openid to logon to the concordia mediawiki, was this use<br>
> part of the concept?<br>
><br>
><br>
><br>
> Is there anything inappropriate about using openid2 for mediawiki logon?<br>
><br>
><br>
><br>
> Should openid (of any quality, and user auth strength) never be used on<br>
> a wiki doing acess contolled business activities (eg one of the business<br>
> groupware wikis provided by the pbwiki firm)?<br>
><br>
><br>
><br>
> ________________________________<br>
><br>
> From: Paul Madsen <<a href="mailto:paulmadsen@rogers.com">paulmadsen@rogers.com</a><mailto:<a href="mailto:paulmadsen@rogers.com">paulmadsen@rogers.com</a>>><br>
><br>
> Sent: Wednesday, September 17, 2008 12:56 PM<br>
><br>
> To: Peter Williams<br>
> <<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a><mailto:<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>>>; Peter<br>
> <<a href="mailto:peterw@tux.org">peterw@tux.org</a><mailto:<a href="mailto:peterw@tux.org">peterw@tux.org</a>>><br>
><br>
> Cc: <a href="mailto:general@openid.net">general@openid.net</a><mailto:<a href="mailto:general@openid.net">general@openid.net</a>><br>
> <<a href="mailto:general@openid.net">general@openid.net</a><mailto:<a href="mailto:general@openid.net">general@openid.net</a>>><br>
><br>
> Subject: Re: [OpenID] OpenID architecture critiques? Re: Too many<br>
> providers...<br>
><br>
><br>
><br>
> every creation story I've ever seen for OpenID has emphasized blog<br>
> commenting.<br>
><br>
><br>
><br>
> Wrt HealthVault, Microsoft themselves seem somewhat ambivalent -<br>
> appearing to place the burden of security review (of both OpenID and<br>
> OPs) on users<br>
><br>
><br>
><br>
> <a href="https://account.healthvault.com/help.aspx?topicid=faq#OpenIDProviders" target="_blank">https://account.healthvault.com/help.aspx?topicid=faq#OpenIDProviders</a><br>
><br>
><br>
><br>
> paul<br>
><br>
> --<br>
><br>
> Paul Madsen e:paulmadsen @ <a href="http://ntt-at.com" target="_blank">ntt-at.com</a><br>
><br>
> NTT p:613-482-0432<br>
><br>
> m:613-302-1428<br>
><br>
> aim:PaulMdsn5<br>
><br>
><br>
> web:<a href="http://connectid.blogspot.com" target="_blank">connectid.blogspot.com</a><br>
><br>
><br>
><br>
><br>
><br>
> ----- Original Message ----<br>
><br>
> From: Peter Williams<br>
> <<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a><mailto:<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>>><br>
><br>
> To: Paul Madsen <<a href="mailto:paulmadsen@rogers.com">paulmadsen@rogers.com</a><mailto:<a href="mailto:paulmadsen@rogers.com">paulmadsen@rogers.com</a>>>;<br>
> Peter <<a href="mailto:peterw@tux.org">peterw@tux.org</a><mailto:<a href="mailto:peterw@tux.org">peterw@tux.org</a>>><br>
><br>
> Cc: "<a href="mailto:general@openid.net">general@openid.net</a><mailto:<a href="mailto:general@openid.net">general@openid.net</a>>"<br>
> <<a href="mailto:general@openid.net">general@openid.net</a><mailto:<a href="mailto:general@openid.net">general@openid.net</a>>><br>
><br>
> Sent: Wednesday, September 17, 2008 3:27:59 PM<br>
><br>
> Subject: RE: [OpenID] OpenID architecture critiques? Re: Too many<br>
> providers...<br>
><br>
><br>
><br>
> Out of interest, what were the use cases?<br>
><br>
><br>
><br>
> I've forgotten the name of the cissp who wrote the openid book, but I<br>
> recall his take: cca (cross company authentication) and blog commenting.<br>
><br>
><br>
><br>
> For cca, one has myopenid as the gold standard (in outsourcing the op<br>
> side of cca) and then there is/was plaxo as the gold standard consumer<br>
> (since you account link several openids to the localuserid). For<br>
> blogging, id pose google/blogger as the stand ard reference of using<br>
> openid to get authication of comments, and yahoo as the classical<br>
> reference on how to be an op in the world ofmega portals.<br>
><br>
><br>
><br>
> In the web2.0 world, we then had magnolia (notable for having no<br>
> localids) and claimid (notable for tagging documents you want to assert<br>
> authorship of).<br>
><br>
><br>
><br>
> In the (paradoxical) higher assrance space (that liberty folk<br>
> essentially question if even should really exist) we have microsoft<br>
> heath vault service maintaing your sensitive health record<br>
> confentiality, accepting openids from (only) trustbearer (who require<br>
> strong user auth using dod cac smartcard, usfed piv card, or other<br>
> javacard/globalplatform smartcard with decent rsa crypto strength (and<br>
> fips 140-1 and cc assurance, ideally, on the soc in the chip and the<br>
> id/keymanagement applets/firmware)<br>
><br>
><br>
><br>
> ________________________________<br>
><br>
> From: Paul Madsen<br>
> <<a href="mailto:paulmadsen@rogers.com">paulmadsen@rogers.com</a><mailto:<a href="mailto:paulmadsen@rogers.com">paulmadsen@rogers.com</a>><mailto:<a href="mailto:paulmadsen@rogers.com">paulmadsen@rogers.com</a><mailto:<a href="mailto:paulmadsen@rogers.com">paulmadsen@rogers.com</a>>>><br>
><br>
> Sent: Wednesday, September 17, 2008 11:42 AM<br>
><br>
> To: Peter<br>
> <<a href="mailto:peterw@tux.org">peterw@tux.org</a><mailto:<a href="mailto:peterw@tux.org">peterw@tux.org</a>><mailto:<a href="mailto:peterw@tux.org">peterw@tux.org</a><mailto:<a href="mailto:peterw@tux.org">peterw@tux.org</a>>>>;<br>
> Peter Williams<br>
> <<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a><mailto:<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>><mailto:<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a><mailto:<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>>>><br>
><br>
> Cc:<br>
> <a href="mailto:general@openid.net">general@openid.net</a><mailto:<a href="mailto:general@openid.net">general@openid.net</a>><mailto:<a href="mailto:general@openid.net">general@openid.net</a><mailto:<a href="mailto:general@openid.net">general@openid.net</a>>><br>
> <<a href="mailto:general@openid.net">general@openid.net</a><mailto:<a href="mailto:general@openid.net">general@openid.net</a>><mailto:<a href="mailto:general@openid.net">general@openid.net</a><mailto:<a href="mailto:general@openid.net">general@openid.net</a>>>><br>
><br>
> Subject: Re: [OpenID] OpenID architecture critiques? Re: Too many<br>
> providers...<br>
><br>
><br>
><br>
> This comparison is not specific to security, but does address it<br>
><br>
><br>
><br>
> <a href="http://identitymeme.org/doc/draft-hodges-saml-openid-compare-06.html" target="_blank">http://identitymeme.org/doc/draft-hodges-saml-openid-compare-06.html</a><br>
><br>
><br>
><br>
> paul<br>
><br>
><br>
><br>
> p.s. I am a SAML/Liberty participant. I would not argue that OpenID<br>
> provides 'no' assurance - rather that it can provide a level of<br>
> assurance appropriate to the use cases that drove its development. I<br>
> know of no SAML advocate that would claim more than this correspondence<br>
> for SAML.<br>
><br>
><br>
><br>
> --<br>
><br>
> Paul Madsen e:paulmadsen @ <a href="http://ntt-at.com" target="_blank">ntt-at.com</a><br>
><br>
> NTT p:613-482-0432<br>
><br>
> m:613-302-1428<br>
><br>
> aim:PaulMdsn5<br>
><br>
><br>
> web:<a href="http://connectid.blogspot.com" target="_blank">connectid.blogspot.com</a><br>
><br>
><br>
><br>
><br>
><br>
> ----- Original Message ----<br>
><br>
> From: Peter<br>
> <<a href="mailto:peterw@tux.org">peterw@tux.org</a><mailto:<a href="mailto:peterw@tux.org">peterw@tux.org</a>><mailto:<a href="mailto:peterw@tux.org">peterw@tux.org</a><mailto:<a href="mailto:peterw@tux.org">peterw@tux.org</a>>>><br>
><br>
> To: Peter Williams<br>
> <<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a><mailto:<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>><mailto:<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a><mailto:<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>>>><br>
><br>
> Cc:<br>
> "<a href="mailto:general@openid.net">general@openid.net</a><mailto:<a href="mailto:general@openid.net">general@openid.net</a>><mailto:<a href="mailto:general@openid.net">general@openid.net</a><mailto:<a href="mailto:general@openid.net">general@openid.net</a>>>"<br>
> <<a href="mailto:general@openid.net">general@openid.net</a><mailto:<a href="mailto:general@openid.net">general@openid.net</a>><mailto:<a href="mailto:general@openid.net">general@openid.net</a><mailto:<a href="mailto:general@openid.net">general@openid.net</a>>>><br>
><br>
> Sent: Wednesday, September 17, 2008 2:19:46 PM<br>
><br>
> Subject: [OpenID] OpenID architecture critiques? Re: Too many providers...<br>
><br>
><br>
><br>
><br>
><br>
> Peter Williams<br>
> <<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a><mailto:<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>><mailto:<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a><mailto:<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>>><mailto:<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a><mailto:<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>><mailto:<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a><mailto:<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>>>>><br>
> wrote:<br>
><br>
>> Folks in the liberty alliance message (openly and convincingly)<br>
><br>
>> that openid cannot ever - inherently - be used for any purpose<br>
><br>
>> requiring "assurance". They point to the undisputed claim that<br>
><br>
>> the open designers knowingly made design tradeoffs in the crypto<br>
><br>
>> handshake and security critical securty service composition rules,<br>
><br>
>> so as to make it all easy to deploy and adopt. Because of this<br>
><br>
>> precept, openid cannot even *be* fixed (since low assurance is the<br>
><br>
>> actual goal).<br>
><br>
><br>
><br>
> As someone who's moving towards integrating OpenID (RP and OP) into his<br>
><br>
> employer's web apps, I would very much appreciate URLs to such critiques.<br>
><br>
><br>
><br>
> From what I see, the most glaring problem is that some "major sites" that<br>
><br>
> act as OPs (Flickr, AOL, etc.) still do not have https:// identity URLs, so<br>
><br>
> RPs cannot leverage cheap, ubiqitous SSL/TLS PKI to help thwart the more<br>
><br>
> obvious DNS and MITM/phishing attacks.<br>
><br>
><br>
><br>
> BTW, whoever maintains <a href="http://openid.net/get/" target="_blank">http://openid.net/get/</a> should probably change the<br>
><br>
> Yahoo information to "<a href="https://me.yahoo.com/" target="_blank">https://me.yahoo.com/</a>" since that works and, unlike<br>
><br>
> <a href="http://openid.yahoo.com/" target="_blank">http://openid.yahoo.com/</a>, uses SSL/TLS.<br>
><br>
><br>
><br>
> Thanks,<br>
><br>
><br>
><br>
> Peter<br>
><br>
><br>
><br>
> _______________________________________________<br>
><br>
> general mailing list<br>
><br>
> <a href="mailto:general@openid.net">general@openid.net</a><mailto:<a href="mailto:general@openid.net">general@openid.net</a>><mailto:<a href="mailto:general@openid.net">general@openid.net</a><mailto:<a href="mailto:general@openid.net">general@openid.net</a>>><mailto:<a href="mailto:general@openid.net">general@openid.net</a><mailto:<a href="mailto:general@openid.net">general@openid.net</a>><mailto:<a href="mailto:general@openid.net">general@openid.net</a><mailto:<a href="mailto:general@openid.net">general@openid.net</a>>>><br>
><br>
> <a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
><br>
> _______________________________________________<br>
><br>
> general mailing list<br>
><br>
> <a href="mailto:general@openid.net">general@openid.net</a><br>
><br>
> <a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
><br>
><br>
</div></div>> ------------------------------------------------------------------------<br>
<div><div></div><div class="Wj3C7c">><br>
> _______________________________________________<br>
> general mailing list<br>
> <a href="mailto:general@openid.net">general@openid.net</a><br>
> <a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Nat Sakimura (=nat)<br><a href="http://www.sakimura.org/en/">http://www.sakimura.org/en/</a><br>
</div></div>