<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.apple-style-span
{mso-style-name:apple-style-span;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:460609016;
mso-list-template-ids:-1324324414;}
@list l1
{mso-list-id:796603746;
mso-list-template-ids:1655884378;}
@list l2
{mso-list-id:816999388;
mso-list-template-ids:1038410336;}
@list l3
{mso-list-id:1267695139;
mso-list-template-ids:-1543735712;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple style='word-wrap: break-word;
-webkit-nbsp-mode: space;-webkit-line-break: after-white-space'>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Fair enough, Brett: though do understand I’ve lived
through similar wars over CAs tuned to “web culture”, when “PKIs”
and their often-US government backed assurance frameworks attempted to “promote”
assurance frameworks …controlling who could assert which cert to which
cert-user – even in the private sector. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>We pushed back the tide last time(PKIs), to ensure the world of cert
assertion/reliance infrastructure promoted/implemented self-signed certs (chains)
at the same level of legitimacy and commodity support as TTP certs …allowing
low assurance frameworks to bootstrap. (As the world of PKI shows, none of that
in any way prevented high-assurance, high-value, well governed frameworks
existing, as overlays).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>The core issue is the certainly the role of TTPs and any
inter-TTP pacts concerning shared-governance. Mostly functionally equivalent
bit formats and signaling protocols (Kerberos, ldap binds, certs, GlobalPlatform/PIV,
SAML, openid auth, …) are obviously irrelevant to issues of control
and governance of public networks.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>To UCI. UCI is a term that has definitively morphed …to
mean different things to different communities, often with different “control
constituencies”.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>In OpenID’s design concept, the CLAIM is/was that “web”
user-centric means/meant that TTPs do not “control” users (as bound
subscribers). OpenID’s notion of UCI is not delivered, for example,
merely by supporting law#4 (directed identity). UCI in the openid sense requires
that a user’s ability to access their subscription at their RPs CAN BE (by
user care) largely un-impacted by the cessation of the relationship between the
user and any particular OP.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>The OpenID control thesis forUCI is shown nicely in the Plaxo
model, where any one of several openids managed by several OPs may be bound/linked
to the user’s plaxo/RP account by one, user-controlled discovery file. In
a given act of signin, the User induces the RP to discover the user-named/controlled
discovery file. This delegates to several OpeniD2 OPs – any one of which
the RP may use, and some multiple of which will presumably usefully link to the
RP account.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>With judicious account linking at RPs and by ensuring delegation
CAN be 100% controlled by users (if they care enough), UCI in the openid sense
is NICELY implemented. Of course, none of this low-assurance world (equivalent
to self-signed certs) stops openid protocols being used in closed-community overlays
to implement the more TTP control model facilitating high-assurance, governance
based control practices over a subscriber’s web-life.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Brett McDowell
[mailto:brett@ictprojects.com] <b>On Behalf Of </b>Brett McDowell<br>
<b>Sent:</b> Thursday, December 04, 2008 11:03 AM<br>
<b>To:</b> Peter Williams<br>
<b>Cc:</b> Nat Sakimura; Eddy Nigg (StartCom Ltd.); general@openid.net<br>
<b>Subject:</b> Re: [OpenID] For the nominees<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Peter, you seem to be conflating Liberty Alliance (an
organization with a broad mandate, including user-centric identity) with SAML
2.0 (a federation protocol that -- in large part, but not entirely -- came out
of work Liberty Alliance did). I also think you're giving SAML a black
eye it doesn't deserve, but I'll let my technical betters defend the
user-empowerment of SAML. <o:p></o:p></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<div>
<p class=MsoNormal>On Dec 4, 2008, at 12:56 PM, Peter Williams wrote:<o:p></o:p></p>
</div>
<p class=MsoNormal><br>
<br>
<o:p></o:p></p>
<div>
<div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Assurance in the “system”? Or assurance about an
individual operator?</span><span style='color:black'><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><span style='color:black'><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Liberty has active programs for facilitating governance of IDPs,
and IDPs control over Users and RPs. OpenID encourages a contrasting
world of UCI, which has no governance model and no assumption that governance
is particularly relevant.</span><span style='color:black'><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><span style='color:black'><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I do hope OpenID Japan is not acting as an (undeclared) proxy
for Liberty initiatives. There is little or no conception of UCI in the Liberty
view of the world. Liberty is a full power TTP control model, where the IDP
“controls” users as subscribers and (indirectly) governs their
conduct on RP systems. In OpenID, if one OP removes your access to
your assertions or attributes signaled to a given RP, you can ALWAYS dump them
and SIMPLY use another on the same RP, ___with no impact to the User__. This is
(obviously) not the case with the TTP model, where the IDP _<i>controls</i>_
the level of impact on one or more RPs.</span><span style='color:black'><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><span style='color:black'><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><span style='color:black'><o:p></o:p></span></p>
</div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in;
border-width:initial;border-color:initial'>
<div>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:black'>From:</span></b><span class=apple-converted-space><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'> </span></span><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><a
href="mailto:general-bounces@openid.net">general-bounces@openid.net</a> [<a
href="mailto:general-bounces@openid.net">mailto:general-bounces@openid.net</a>]<span
class=apple-converted-space> </span><b>On Behalf Of<span
class=apple-converted-space> </span></b>Nat Sakimura<br>
<b>Sent:</b><span class=apple-converted-space> </span>Thursday, December
04, 2008 7:32 AM<br>
<b>To:</b><span class=apple-converted-space> </span>Eddy Nigg (StartCom
Ltd.)<br>
<b>Cc:</b><span class=apple-converted-space> </span><a
href="mailto:general@openid.net">general@openid.net</a><br>
<b>Subject:</b><span class=apple-converted-space> </span>Re: [OpenID] For
the nominees</span><span style='color:black'><o:p></o:p></span></p>
</div>
</div>
<div>
<p class=MsoNormal><span style='color:black'> <o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span style='color:black'>Hi Eddy, <o:p></o:p></span></p>
</div>
<div>
<div>
<p class=MsoNormal><span style='color:black'> <o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal><span style='color:black'>Here is my answers inline: <o:p></o:p></span></p>
</div>
<div>
<div>
<p class=MsoNormal><span style='color:black'>On Thu, Dec 4, 2008 at 10:14 PM,
Eddy Nigg (StartCom Ltd.) <<a href="mailto:eddy_nigg@startcom.org">eddy_nigg@startcom.org</a>>
wrote:<o:p></o:p></span></p>
</div>
<div>
<div>
<p class=MsoNormal><span style='color:black'>There are a few questions I'd like
to ask the current nominees in order to get a better picture about which ideas
a nominee represents. Of course the questions are specifically what I feel
important:<o:p></o:p></span></p>
</div>
<ol style='margin-top:0in' start=1 type=1>
<li class=MsoNormal style='color:black;mso-list:l3 level1 lfo1'>Adoption of
OpenID by relying parties isn't on-par with the amount of providers
available. How would you improve that ratio?<o:p></o:p></li>
</ol>
</div>
<div>
<div>
<p class=MsoNormal><span style='color:black'>In Japan, we are doing the
following: <o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal><span style='color:black'> <o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal><span style='color:black'>- Individual visit to potential
RPs to persuade them the value of being an RP. <o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal><span style='color:black'>- Technical seminars to get them
up to speed. <o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal><span style='color:black'>- Create an Assurance Framework
(this is in progress) to let them have better "trust" in the system. <o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal><span style='color:black'> <o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal><span style='color:black'>I personally think we should
replicate it in the global scale. <o:p></o:p></span></p>
</div>
</div>
<blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;
margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt;
border-width:initial;border-color:initial'>
<div>
<ol style='margin-top:0in' start=1 type=1>
<li class=MsoNormal style='color:black;mso-list:l2 level1 lfo2'>What is it
that should be done in order to have big providers like Google, Yahoo!,
Microsoft rely on other operators?<o:p></o:p></li>
</ol>
</div>
</blockquote>
<div>
<div>
<p class=MsoNormal><span style='color:black'> Assurance framework is a
key. Right now, we have no good way of assessing the assurance level of the
assertions. Once it is solved, it will become much easier for them to start
accepting the assertions created by a third party. <o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal><span style='color:black'> <o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal><span style='color:black'>Also, we have to show the relevant
parties the market and profit potential. <o:p></o:p></span></p>
</div>
</div>
<blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;
margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt;
border-width:initial;border-color:initial'>
<div>
<ol style='margin-top:0in' start=1 type=1>
<li class=MsoNormal style='color:black;mso-list:l0 level1 lfo3'>Do you think
that a trust relationship framework should be created, similar to PKI
auditing (or any other/similar idea) in order to allow relying parties
easily trust on other operators? Or what would you suggest instead?<o:p></o:p></li>
</ol>
</div>
</blockquote>
<div>
<div>
<p class=MsoNormal><span style='color:black'>Obviously, an assurance framework coupled
with auditing is a key factor. I think we should look at Liberty Alliance's
Identity Assurance Framework (IAF). IAF is protocol independent so we can
profile it to OpenID. Also, Assurance does not come in the form of Technology
alone. Legal systems have impact on it. In Japan, we are working closely with
the Japanese government to sort out the issues. I think this needs to be
replicated to anywhere in the world. That is why we need to have a good
representation from the different jurisdictions for the board. <o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal><span style='color:black'> <o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal><span style='color:black'>Having said that, the assurance
framework alone does not solve the problem. We should use reputations services
in conjunction with it. That is why I have created ORMS TC at OASIS. <o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal><span style='color:black'> <o:p></o:p></span></p>
</div>
</div>
<blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;
margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt;
border-width:initial;border-color:initial'>
<div>
<ol style='margin-top:0in' start=1 type=1>
<li class=MsoNormal style='color:black;mso-list:l1 level1 lfo4'>Do you think
that instead of hiring an executive director, the load of the different
tasks could be shifted to a small group of different persons instead
(foundation management)? Would you view a such a scenario possible and
perhaps more efficient? (Considering the amount to be paid for an ED, I
suspect that many highly motivated and capable individuals from within the
community or from outside could do a better job than one individual and
receive fair compensation for their work.)<o:p></o:p></li>
</ol>
</div>
</blockquote>
<div>
<div>
<p class=MsoNormal><span style='color:black'>This is exactly what we are doing
in OpenID Foundation Japan. Instead of hiring an ED, we have distributed tasks
to (business-wise) motivated group of people for each topic. Providing them the
benefit of doing it seems to deliver a better ROI at least in Japan. I am not
entirely sure about the situation in the U.S. and other countries, but
considering that OIDF is resource constrained, it certainly is a path that
should be considered. <o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class=MsoNormal><span style='color:black'> <o:p></o:p></span></p>
</div>
</div>
<blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;
margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt;
border-width:initial;border-color:initial'>
<div>
<div>
<p class=MsoNormal><span style='color:black'> <o:p></o:p></span></p>
</div>
<div>
<div>
<p class=MsoNormal><span style='color:black'>--<o:p></o:p></span></p>
</div>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0>
<tr>
<td colspan=2 style='padding:0in 0in 0in 0in'>
<div>
<p class=MsoNormal>Regards <o:p></o:p></p>
</div>
</td>
</tr>
<tr>
<td colspan=2 style='padding:0in 0in 0in 0in'>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<div>
<p class=MsoNormal>Signer: <o:p></o:p></p>
</div>
</td>
<td style='padding:0in 0in 0in 0in'>
<div>
<p class=MsoNormal>Eddy Nigg,<span class=apple-converted-space> </span><a
href="http://www.startcom.org" target="_blank">StartCom Ltd.</a><o:p></o:p></p>
</div>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<div>
<p class=MsoNormal>Jabber: <o:p></o:p></p>
</div>
</td>
<td style='padding:0in 0in 0in 0in'>
<div>
<p class=MsoNormal><a href="mailto:startcom@startcom.org">startcom@startcom.org</a><o:p></o:p></p>
</div>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<div>
<p class=MsoNormal>Blog: <o:p></o:p></p>
</div>
</td>
<td style='padding:0in 0in 0in 0in'>
<div>
<p class=MsoNormal><a href="http://blog.startcom.org" target="_blank">Join
the Revolution!</a><o:p></o:p></p>
</div>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<div>
<p class=MsoNormal>Phone: <o:p></o:p></p>
</div>
</td>
<td style='padding:0in 0in 0in 0in'>
<div>
<p class=MsoNormal>+1.213.341.0390<o:p></o:p></p>
</div>
</td>
</tr>
<tr>
<td colspan=2 style='padding:0in 0in 0in 0in'>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
</td>
</tr>
</table>
</div>
</div>
<div>
<p class=MsoNormal><span style='color:black'><br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><o:p></o:p></span></p>
</div>
</blockquote>
</div>
<div>
<p class=MsoNormal><span style='color:black'><br>
<br clear=all>
<br>
--<span class=apple-converted-space> </span><br>
Nat Sakimura (=nat)<br>
<a href="http://www.sakimura.org/en/">http://www.sakimura.org/en/</a><o:p></o:p></span></p>
</div>
</div>
</div>
<p class=MsoNormal><span style='font-size:9.0pt;font-family:"Helvetica","sans-serif";
color:black'>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a><o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</body>
</html>