<div dir="ltr">Can we have identity without trust? Can we have trust without identity? In my mind, the two are interwoven. When a person identifies themselves, we need some element of trust (if we're in person and we've met them before, our memory provides that trust, if not, a photo ID , etc.). To rephrase, I'd say that identity can technically exist without trust, but it's meaningless to us humans.<br>
<br>Trust can also not exist without identity. If you login to my web site, a 3rd party vouches for your claim of identity. In order to trust this 3rd party, I must know who they are. If it's a random entity, then why should I trust them? It's like a driver's license. It's only a valid form of ID because it's certified by the government, and we know who the different government entities are (DMV, Department of State, etc.). If I were a bouncer checking ID's, I'd be a bit suspicious if someone gave me a driver's license issued by "State of MyFakeState". The same goes for virtual identity. Why should I trust a random OP?<br>
<br>- Brandon<br><br><div class="gmail_quote">On Sat, Oct 18, 2008 at 12:23 AM, Chris Messina <span dir="ltr"><<a href="mailto:chris.messina@gmail.com">chris.messina@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I don't think that it's necessarily OpenID's job to solve these specific problems. It's really an identity protocol; trust, veracity and authenticity (in the human sense) are, by design (and by extension, politics) purposely kept out of scope.<div>
<br></div><div>Several of our companies, mine included, operate in the space afforded by the adoption of a technology like OpenID, where you can choose to have increasing levels of complexity, encryption, circuity and sophistication to thwart those who would gain by attempting to act as though they were you.</div>
<div><br></div><div>Whether you verify that you're human by receiving a $1 transaction or a 5 character text message is actually an opportunity for innovation and research, and by promoting the adoption of OpenID as a common conduit, we enable the pre-conditions for such an industry to grow up with consumer-facing services (as opposed to enterprise).</div>
<div><br></div><div>My girlfriend today commented that OpenID is too hard because it requires too many steps. She wasn't talking about the authentication dance -- and she didn't even mind typing in her blog address to sign in (she's delegated to ClaimID.com). Instead her gripe was with the form-filling process *immediately* following the sign in process where, even though her OpenID provider has her name, email, bio and a bunch of other choice tidbits, the relying party either didn't, or didn't know how to, ask for it from her IdP. And since she had to re-enter this data *yet* again, OpenID as a whole ended up looking bad.</div>
<div><br></div><div>The point that I'm ultimately making here is that we could sit here all day arguing over the need to secure one's identity and how to do it, but for most people, that's self-referential bike shed painting.</div>
<div><br></div><div>We need this stuff to just work and get out of the way (unless a user chooses otherwise), and no user interface research is going to be complete unless we also weigh the second order benefits of time-saving and smoother flows that can come by enhancing the standards-based identity technologies.</div>
<div><br></div><div>To that end, I think we need to think beyond just authentication here, and look at what happens immediately AFTER you've signed in with OpenID. How can we make that experience intuitive, compelling, desirable and motivating? How can we get it in people's heads that the OpenID experience is the one that they WANT -- and the one that they should DEMAND from their favorite web services?</div>
<div><br></div><div>If we can't improve even the basic sign up and sign in flows from where they are today, indeed, we will continue struggle with basic issues like awareness and adoption.</div><div><br></div><div><font color="#888888">Chris</font><div>
<div></div><div class="Wj3C7c"><br>
<br><div class="gmail_quote">On Fri, Oct 17, 2008 at 8:50 PM, Peter Williams <span dir="ltr"><<a href="mailto:pwilliams@rapattoni.com" target="_blank">pwilliams@rapattoni.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
This assurance/practice using email is essentially identical to the infamous dollar auth transaction, against VisaNet. If one can get an auth from VISA to allow the user a $1 credit, then you can infer the VISA number is accurate, and in good standing. It implies identity verification (and you can invoke fraud law against any law breakers).<br>
<br>
This it itself only a variant of a 100year old FBI trick, to induce someone under prosecution threat to commit formal mail fraud ... so one can get obtain leverage (incarceration, anal probing, association with the explicit violence of gangland present in holding cells etc) during a plea bargain over something much harder to prove.<br>
<br>
<br>
Attack surfaces tend to be multi-level (and that's a pun).<br>
<div><br>
<br>
-----Original Message-----<br>
From: <a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a> [mailto:<a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>] On Behalf Of Allen Tom<br>
Sent: Friday, October 17, 2008 8:35 PM<br>
To: Dick Hardt; OpenID List<br>
Subject: Re: [OpenID] Combining Google & Yahoo user experience research<br>
<br>
</div><div><div></div><div>Dick Hardt wrote:<br>
><br>
> The UX of getting a verified email and then auto binding an existing<br>
> account is cleaner. It does mean that if I can prove I have your email<br>
> address, that I can take over your account. Seems to broaden the<br>
> attack surface rather then narrow it.<br>
><br>
<br>
Hi Dick,<br>
<br>
Many sites allow an account's password to be reset by sending a Reset<br>
Token to an email address associated with the account. An attacker who<br>
gains access to the email address is able to reset the password, and is<br>
therefore able to take over the account. If the ability to reset a<br>
password is equivalent to logging in, then the attack surface is really<br>
unchanged.<br>
<br>
Allen<br>
<br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br><br clear="all"><br></div></div><div class="Ih2E3d">-- <br>Chris Messina<br>Citizen-Participant &<br> Open Technology Advocate-at-Large<br><a href="http://factoryjoe.com" target="_blank">factoryjoe.com</a> # <a href="http://diso-project.org" target="_blank">diso-project.org</a><br>
<a href="http://citizenagency.com" target="_blank">citizenagency.com</a> # <a href="http://vidoop.com" target="_blank">vidoop.com</a><br>This email is: [ ] bloggable [X] ask first [ ] private<br>
</div></div>
<br>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<br></blockquote></div><br></div>