<!doctype html public "-//W3C//DTD W3 HTML//EN">
<html><head><style type="text/css"><!--
blockquote, dl, ul, ol, li { padding-top: 0 ; padding-bottom: 0 }
 --></style><title>Re: [OpenID] [LIKELY_SPAM]Re: Problems with
delegation and</title></head><body>
<div>&gt;Even then, it seems that some RPs don't really do SSL
correctly;<br>
&gt;they don't completely validate the SSL certificates against a<br>
&gt;trusted list of root CAs.&nbsp; So if self-signed SSL certs don't
raise</div>
<div>&gt;any warnings; then SSL is sort of compromised anyway.</div>
<div><br></div>
<div>Where did you get the &quot;trusted list&quot; from? (I predict
that, in the future, &quot;XRI&quot; will be a symonym for
&quot;however&quot;; we got it from SOMEwhere, not specifying though.)
Could you leverage existing OpenID associations?</div>
<div><tt>http://blogs.sun.com/bblfish/entry/cryptographic_web_of_trust</tt
></div>
<div>But then we have problems with cache poisoning for independent
sites that haven't begun to support OpenID (or even SSL!) yet. I
suspect that this will cease being a problem if we can move to XRI's;
in the meantime, it's somewhat awkward to add a public key to
someone's OpenID (thus discriminating between &quot;site.com&quot;
with one self-signed SSL cert and &quot;site.com&quot; with
another).</div>
<div><br></div>
<div>-Shade</div>
</body>
</html>