<div dir="ltr">I like this idea. I'll probably get yelled at for saying this, but if the registrars for this gTLD agreed to lay out certain validations during the registration process, then it could make RP's lives easier by only accepting OpenID's based under that gTLD. If the registrar validates certain policy claims, such as an OP requiring strong authentication or password rotations, then they can publicly advertise that information and the OpenID spec could perhaps include that for clients.<br>
<br>I see the strongest barrier to entry for OpenID not to be the consumer, but the RP. While building a new web site, there is too much risk involved in supporting OpenID or any distributed authentication technology because there is no way to the security of that authentication process. If registrars had a procedure for allowing prospective OP's to claim certain features (this schema would obviously need to be standardized, hence a new spec), such as strong authentication, phone call verification, etc., then the registrars could validate these claims and advertise them for RP's.<br>
<br>Just a thought...<br><br>- Brandon<br><br><div class="gmail_quote">On Sat, Sep 27, 2008 at 1:14 PM, Peter Williams <span dir="ltr"><<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Snorri: dont get too excited about national adoptions of stuff. Vienna is fully ENUM enabled, too. Helsinki has full SSO roaming between GSM carriers (its built into GSM key management standards!) that allows for phone banking.<br>
<br>
Its a useful to measure openid focus tho - who ...with (intelligent not VC) money to invest ..thinks what! about OpenIDs "core infrastructure problems" - What is it that needs solving, at a business/board level that can vector OpenId into the "infrastructure" league, that lots of big capital companies can then own?<br>
<br>
Is is the "means to deal with the 'scourge' of comment spam"? - OpenID future is all about reputation management<br>
<br>
Is it the means to hold "blog commentators liable for their defamations"? - OpenID ensures only authenticated blog-comments are allowed in China ISPs ...and lots of dispute management services get sold<br>
<br>
Is it the "UCI liberator that frees up social networks"? - OpenID forces Facebook to share the ball in the web2.0 playground, like it forced AOL to share IM buddies with MSN, Yahoo and jabber (urrr...)<br>
<br>
Is it "the URL that will finally save RDF"? - OpenID saves Foaf and UI-based ontology-based mashups (and authenticates SPARQL queries to SQLSERVER 2008, while its at it)<br>
<br>
Is it now the savior of DNSSEC ? - ie. OpenID gets the Assurance Liberty says is missing - by relying on an external (non XRI) trust fabric (Nate's main point). Hmm!<br>
<br>
Is it an ICANN marketing ploy to decouple secure naming from SSL certs in favor of DNS and IPv6? - Attack VeriSign's ultimate source of leverage in the .com name registration market (since SSL/certs do the same as DNSSEC, practically)? Who on Earth would have ICANN to do that!!?And, Why!?<br>
<br>
Lots to think about.<br>
<br>
________________________________________<br>
From: <a href="mailto:general-bounces@openid.net">general-bounces@openid.net</a> [<a href="mailto:general-bounces@openid.net">general-bounces@openid.net</a>] On Behalf Of Snorri [snorri@snorri.eu]<br>
Sent: Saturday, September 27, 2008 9:43 AM<br>
To: 'Martin Atkins'; 'Hans Granqvist'<br>
Cc: 'Zdravko Stoychev'; <a href="mailto:board@openid.net">board@openid.net</a>; <a href="mailto:general@openid.net">general@openid.net</a><br>
Subject: Re: [OpenID] ICANN - dotOpenID Has Found Its First Sponsor<br>
<div><div></div><div class="Wj3C7c"><br>
I agree!<br>
<br>
About DNSSEC, e.g.: I believe that the Swedish NIC <a href="http://www.iis.se/" target="_blank">http://www.iis.se/</a> (also<br>
in Bulgaria: ".bg") already use and sign with DNSSEC for their ccTLDs<br>
domains...<br>
<br>
-Snorri<br>
<br>
-----Message d'origine-----<br>
De : Martin Atkins [mailto:<a href="mailto:mart@degeneration.co.uk">mart@degeneration.co.uk</a>]<br>
Envoyé : samedi 27 septembre 2008 10:55<br>
À : Hans Granqvist<br>
Cc : Snorri; <a href="mailto:board@openid.net">board@openid.net</a>; <a href="mailto:general@openid.net">general@openid.net</a><br>
Objet : Re: [OpenID] ICANN - dotOpenID Has Found Its First Sponsor<br>
<br>
Hans Granqvist wrote:<br>
> Wrong end of the URL!<br>
><br>
> A big problem with OpenID is that it uses ugly URLs as identifiers.<br>
> That they start with "http://" and have dots. It's not what TLD they<br>
> end with that is a problem.<br>
><br>
Much like when URLs are published in the press, the http:// prefix and<br>
the single-slash path component can be omitted when displaying these<br>
URLs to users. I wish more RPs would do this.<br>
<br>
As for it being a problem that the identifiers contain dots... that's<br>
clearly a subjective issue!<br>
> Anyway, compared to say, ".com", how will creating ".openid" help<br>
> improve anything? Looks like a misspelling of "opened". "myid"<br>
> isn't much better.<br>
><br>
><br>
<br>
One thing that amuses me about this proposal is that putting everything<br>
OpenID in one DNS domain would make it look a lot like the first version<br>
of Sxip where the IdPs where subdomains of <a href="http://sxip.com" target="_blank">sxip.com</a> (or something like<br>
that; it's been a while.)<br>
<br>
I know that's not exactly what's being proposed here, but it did make me<br>
chuckle from a "what's old is new again" perspective.<br>
<br>
One thing I would be interested to know is whether having a new<br>
top-level domain for identifiers would make it possible to use different<br>
rules inside that domain such as requiring DNSSEC. It's become clear<br>
that getting DNSSEC deployed right at the root and in the existing TLDs<br>
is not happening soon, but perhaps it can be used under a new TLD if RPs<br>
support it. I confess to not knowing a great deal about DNSSEC, but it<br>
seems to me that in order for it to be worth having a new TLD<br>
*something* has to be different to the existing free-for-all domains.<br>
Addressing the concern that OpenID depends on DNS and DNS is insecure<br>
would be a useful goal.<br>
<br>
<br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br></div>