<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.5pt;
font-family:Consolas;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:Consolas;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoPlainText>Ok. I’ve been corrected. discus is an RP, not an OP. <o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>I’m sighing relief, for the OpenID brand (and change.gov’s
credibility). <o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>It was Passport’s violation of EC data protection rules,
all over again, for a moment, there.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>------------<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>The ability for the discus.com value-adder (of commenting
services) to correlate is a simple function of being an outsourcer of blog
commenting services. It has nothing to do with being an OpenID function or some
related sideeffect of the properties of verified identities (which was the claim/benefit).<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>The original claim implied that properties/benefits __of
OpenID__ on that site facilitated the correlations being performed by the RP.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Obviously, any outsourced vendor can cross-correlate data
across its tenants. This is a function of the outsourced failing to deliver/offer
a credible assurance for the compartmentalization of tenant data.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>So,<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>if there are identity-based access controls in place at
the cross-correlator that RP site that says that release of the x-correlations
is (a) dependent on recognizing citation of a verified-openid served by X list
of correlator-trusted OPs, and (b) the search is predicated on you NOW showing
youSTILL control THAT openid in order to invoke/release the cross-correlations report
about THAT openid, then fine. This is indeed just an RP, accepting openids and doing
data mining (in a non-compartmentalized dataset.)<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>The threat I described still exists (and is a simple function
of collaborating RPs, andlack of compartmentalization), but at least it's NOT
now a _property_ of the openid auth OP. It’s a simple sideeffect of the fact
that URLs can be recognized as single identity.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>In the SAML2 world, of course, one addresses this inate power
of RPs to coordinate x-correlations - presumably against your privacy interests
- by exploiting persistent and transient nameid formats.<o:p></o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
general-bounces@openid.net [mailto:general-bounces@openid.net] <b>On Behalf Of </b>Peter
Williams<br>
<b>Sent:</b> Friday, November 28, 2008 1:20 PM<br>
<b>Cc:</b> OpenID List<br>
<b>Subject:</b> Re: [OpenID] OpenID on change.gov<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Hold on. I don’t see what is being specifically cited here as
necessarily a benefit – and certainly not what OpenID is about, in its baseline
assurances. What’s being presented is a value-added service by an OP that goes
beyond OpenID properties –and evidently discloses correlations/datamining to
account holders (and possibly others).<o:p></o:p></span></p>
<div style='border:none;border-bottom:solid windowtext 1.0pt;padding:0in 0in 1.0pt 0in'>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
</div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Mainline site = OP = disqus.com = openid provisioner<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>RP site = change.gov = where citizens leave comments, verified or
not (and verified by any openid1 OP, including disqus.com)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>If disqus.com OP is used by user (versus some other OP), a
citizen may optionally visit discus.com (acting as just an value-adding RP of
its own OP service).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>The RP discus.org datamines its OP-function logs, and presents a
list of other-RP sites where - in its OP-function – it has previously delivered
verified-openids.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>So far, so good – as this is essentially the same as myopenid,
its audit trial, and its configuration of per-RP attribute release policies.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>------------<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Beyond OpenID compliance, however:-<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>A. However discus.com RP goes one step further in that it
appears to know the specific comment URI for which, earlier, it deliver a
verified openid to a “known” commenting site – an RP in the ‘discus trust
network”, such as change.gov.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>B. Either by dynamic de-reference or by OOB replication, the
discus.com RP aggregates all the comments’ texts associated with a verified
openid and presents them for viewing.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I don’t necessarily like the properties of A and B. And I
don’t like them being labeled an “openID function”<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I want an OP to normally ONLY know that RPx was the recipient of
a verified id. I don’t want it to have the ability to trace/track which _<i>transaction</i>_
on the RP it was applied to (e.g. some specific comment origination).
And, I certainly don’t want it to BY DEFAULT cross-correlate the
originated comments across many RPs.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>For all I know, there could be a deal between RP change.gov and
OP/RP discus.com that allows, under my account’s terms of service, change.gov
to also see some or all of the places where a verified id used on
change.gov…has deposited comments elsewhere.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>If I deliver some series of politically-incorrect comments on
change.gov (and get, like Paul Newman, put onto a whitehouse enemies list for
simply being too active, vocal or effective in argument), one can see the FBI
or US Secret Service wanting to EASILY see the list of where else I’ve
commented – to assess the threat level I pose.That threat level would normally
be a function of my associations, which will include being associated with a
commenting site …such as trots.org. I have no doubt discus.com would hand
it over this list of associations in an instant, without informing me -
and do that irrespective of what the terms of service require, under the
freedom of contact.<o:p></o:p></span></p>
<div style='border:none;border-bottom:solid windowtext 1.0pt;padding:0in 0in 1.0pt 0in'>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
</div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>So, yes, we are clearly rapidly maturing! Evidently, some OPs
are failing to segregate duties. Their opportunity to correlate is being bunded
with identity-verification services. While it being sold as a UCI benefit, in
reality it’s much more likely to be being sold to the RPs, for a backroom fee.
Even if that fee subsidizes valuable end-user services (just as Google’s
adwords correlations-based search revenue subsidizes all the “stuff” Google
deliver “at no cost”), the conflagration of identity provider and value-added
provider is dubious. The OP is no longer a _<i>disinterested</i>_ third party
in your actions on the RP site(s).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> general-bounces@openid.net
[mailto:general-bounces@openid.net] <b>On Behalf Of </b>Chris Messina<br>
<b>Sent:</b> Friday, November 28, 2008 12:47 PM<br>
<b>To:</b> Sam Alexander<br>
<b>Cc:</b> OpenID List<br>
<b>Subject:</b> Re: [OpenID] OpenID on change.gov<o:p></o:p></span></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>To expand on this, the value in the Disqus and IntenseDebate
systems is that a user can sign up for an account on either mainline site
(centrally on <a href="http://disqus.com">disqus.com</a> or <a
href="http://intensedebate.com">intensedebate.com</a>) and then reuse those
accounts elsewhere.<o:p></o:p></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Moreover, by using a verified identifier (without having to
divulge one's password to an untrusted third party site), you can then go back
to the mainline sites to see an aggregated view of the comments you've left on
the sites that support any of these systems.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Of course it requires many sites and commenting forms to
adopt either of these services, but it demonstrates a value of being able to
leave a comment in the wild and then see follow up responses in one place (a
user-centric value-add).<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'>Chris<o:p></o:p></p>
<div>
<p class=MsoNormal>On Thu, Nov 27, 2008 at 6:25 PM, Sam Alexander <<a
href="mailto:sam.alexander@vidoop.com">sam.alexander@vidoop.com</a>> wrote:<o:p></o:p></p>
<p class=MsoNormal>Eric, you are confusing adoption and usefulness. While you
are right,<br>
there are probably very few OpenID-backed comments, OpenID's<br>
usefulness is an entirely different question.<br>
<br>
OpenID remains a powerful extension of Identity on the web. While a<br>
common username/email comment adds no RECIPROCAL value to the<br>
commentor, an OpenID comment WOULD. It would allow that comment to be<br>
attributed to a specific, verified URL owner.<br>
<br>
While few of the 3,000 commentors may be aware of this value. The<br>
added value still exists.<br>
<span style='color:#888888'><br>
- Sam Alexander</span><o:p></o:p></p>
<div>
<div>
<p class=MsoNormal><br>
On Nov 27, 2008, at 3:18 PM, Eric Norman <<a
href="mailto:ejnorman@doit.wisc.edu">ejnorman@doit.wisc.edu</a>> wrote:<br>
<br>
><br>
> On Nov 27, 2008, at 4:47 PM, Peter Williams wrote:<br>
><br>
>> Its a request for comments: thats a classical use of openid: and no<br>
>> authority is required to uniquely leave your/a (citable) web id<br>
>> attached to your opinion. Its easy to fllowup with uou, given the<br>
>> inherent linkback to the identity page.<br>
><br>
> It appears that anyone can leave a comment without the OpenID<br>
> stuff or without going through some registration process.<br>
> Furthermore, I doubt if they have either the time or motivation<br>
> to follow up on anything. Nevertheless, they do provide you<br>
> with a way to provide an optional email address.<br>
><br>
> Hence, I'll repeat the question. Why would anyone want to use<br>
> OpenID here? I seems to add nothing more than extra work.<br>
><br>
> Or let me put it this way. As of yesterday, there were close<br>
> to 3,000 comments on health care. How many of those do you<br>
> think used OpenID to leave their comment? I'll bet on close<br>
> to zero.<br>
><br>
>> If the founding openid culture doesn't fit with grassroots<br>
>> commenting,<br>
>> where does it fit!?<br>
><br>
> Where it adds value.<br>
><br>
> By the way Peter, it seem that your system is the one adding<br>
> "LIKELY SPAM" to subject lines.<br>
><br>
> Eric Norman<br>
><br>
> _______________________________________________<br>
> general mailing list<br>
> <a href="mailto:general@openid.net">general@openid.net</a><br>
> <a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><o:p></o:p></p>
</div>
</div>
</div>
<p class=MsoNormal><br>
<br clear=all>
<br>
-- <br>
Chris Messina<br>
Citizen-Participant &<br>
Open Technology Advocate-at-Large<br>
<a href="http://factoryjoe.com">factoryjoe.com</a> # <a
href="http://diso-project.org">diso-project.org</a><br>
<a href="http://citizenagency.com">citizenagency.com</a> # <a
href="http://vidoop.com">vidoop.com</a><br>
This email is: [ ] bloggable [X] ask first [ ]
private<o:p></o:p></p>
</div>
</div>
</body>
</html>