<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=utf-8">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:946044008;
mso-list-template-ids:-493863112;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=white lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Well, I suspect agree on most things. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>This election (given its pretty formal, under the legalities facing
corporate officers) will set a standard for some time. We will see what the board
secretary allows in practice on https-level assurances/requirements/obligations,
in order to confer legitimacy on the result. I intend to compare how this is
run to the web-based voting services many of my customers have used to years use
for their committees. Hopefully, it will establish some legal precedents for
applying websso, that they too can leverage as acceptable business practice.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Concerning your thoughts:<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>In general, any SP/consumer site that becomes a magnet for lots
of folks using openids…to which other (mega) OPs have sent it authenticated customers
and attributes (I mean users and their UCI data, sorry), will naturally want to
turn around that data mine and become a provisioneer of openids in its own
right. (If this was a MPLS and BGP forum, I’d be calling it a scalable ‘route reflector’!)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>This is the crux of the SAML “SP affiliation” model, of course,
where one SP acts as a naming/control authority for several other SPs – who are
willing to take the primary SP’s lead when engaging in such as the “google-style
persistent/per-realm naming pseudonyms” when dealing (uniformly, as a
consortium) with the mega-OPs. Of course, the SPs in the affiliation can and
will share (non-OP-copyrighted) attributes about the commonly named/authenticated
entity, outside the (legal or DRM) controls of the IDPs/OPs.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Once Nat has his way (and its inevitable and late already),
there will soon be a legal notice in the openid assertion (or in some “terms of
service” bit format extensions) that places limits on authorized use and
reliance of assertions, limiting reliance by downstream third parties without a
binding and limiting contract with the OP/AX provider. It will soon prohibit
such affiliate/repurposing behavior, as a way of enforcing through legal controls
what technical controls cannot do (without running either a single, giant key
management domain, or a centralized metadata repository.)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Is funny that OpenID bootstrapped itself on UCI - but will surely
now evolve into a very large web-scale control system. It will probably rather
more effective than the UK/US/Aus governments even wanted the PKI vendors to enable
for them (since openid runs at the app layer, rather than behind a difficult to
access network socket).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:
"Tahoma","sans-serif";color:windowtext'> general-bounces@openid.net
[mailto:general-bounces@openid.net] <b>On Behalf Of </b>Eddy Nigg (StartCom
Ltd.)<br>
<b>Sent:</b> Sunday, December 07, 2008 6:31 PM<br>
<b>To:</b> general@openid.net<br>
<b>Subject:</b> Re: [OpenID] Changes to the OpenID Foundation member page login<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><br>
On 12/08/2008 02:29 AM, Peter Williams: <o:p></o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Eddy:</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Let’s get down and dirty, since https OpenIDs are part of the
standard. </span><o:p></o:p></p>
<p class=MsoNormal><br>
Yes, why not....because I haven't lost too much thought about it...<br>
<br>
<br>
<o:p></o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I don’t see how we can easily wash our hands of PKI (much
as I’d love to do so).</span><o:p></o:p></p>
<p class=MsoNormal><br>
The questions below are actually interesting. Obviously I answered them for my
own organization concerning being a relying party, but never thought about it
in relation to the OpenID Foundation.<br>
<br>
<br>
<o:p></o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoListParagraph style='text-indent:-.25in'><span style='font-size:
11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Would you counsel the
secretary running the election to accept http (i.e. non-https) openids in the
coming election?</span><o:p></o:p></p>
<p class=MsoNormal><br>
No<br>
<br>
<br>
<o:p></o:p></p>
<p class=MsoListParagraph><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoListParagraph style='text-indent:-.25in'><span style='font-size:
11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>If https openids are
used by votering members, would you counsel that the rules should prevent those
presumed voters from using the election site?</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoListParagraph style='text-indent:-.25in'><span style='font-size:
11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>If https openids are
used and acceptable under the election rules, would you counsel that the
election site from accept any and all CAs supporting that https channel?</span><o:p></o:p></p>
<p class=MsoListParagraph><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoListParagraph style='text-indent:-.25in'><span style='font-size:
11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>If proper https
openids are used when exercising a voting right, would you counsel that the
Foundation limit the CAs used in https openids to any particular list of CA
service providers?</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal>This actually lead me to the following suggestions: <br>
<br>
A reasonable solution would be to combine the root lists of the most popular
browsers and operating systems (e.g. Microsoft, Apple, Mozilla). And than I
thought, how about OpenID Foundation members receiving an OpenID from
openid.net? I mean, this could be exclusively for members only and could be
used to solve the problems of <o:p></o:p></p>
<ol start=1 type=1>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'>various login problems, <o:p></o:p></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'>questions as the ones from above, <o:p></o:p></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo1'>not favoring any OP, being truly THE OpenID
provider (for members). <o:p></o:p></li>
</ol>
<p class=MsoNormal><br>
That could be really kewl ;-)<br>
<br>
<br>
<o:p></o:p></p>
<div>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0>
<tr>
<td colspan=2 style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>Regards <o:p></o:p></p>
</td>
</tr>
<tr>
<td colspan=2 style='padding:0in 0in 0in 0in'>
<p class=MsoNormal> <o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>Signer: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>Eddy Nigg, <a href="http://www.startcom.org">StartCom Ltd.</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>Jabber: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>Blog: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal><a href="http://blog.startcom.org">Join the Revolution!</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>Phone: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>+1.213.341.0390<o:p></o:p></p>
</td>
</tr>
<tr>
<td colspan=2 style='padding:0in 0in 0in 0in'>
<p class=MsoNormal> <o:p></o:p></p>
</td>
</tr>
</table>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</body>
</html>