<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=utf-8">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=white lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>The quite common derogation of https openid by some many folk in
the community really amazes me. It’s like there are two sub-communities here. Some
understand the nature of the discovery process that powers openid, and others perhaps
don’t. We have folks with the experience to be writing OASIS trusted resolution
spec for XRI, and define HXRIs proxy introductions. And, we have folks who
cannot configure a CTL (ie. run a root registration authority) even though
thousands of vb programmers can now do it.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Ive no idea what “end-end” HTTPS identifier support is. Presumably
it contrasts with link-based HTTPS identifier support (ES to IS, IS to IS, HTTPS
CONNECT proxy to client , HTTP1.1 proxy to server with optional TLS upgrade, etc)..
So, since I’m evidently ignorant (as usual) , it always help to be open minded.
<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>What is it?<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>In, terms of Brand, we could certainly drop the painful https
OpenIDs. But, we’d have to stop talking about the anti-phishing properties of
openid. By its elimination and without some replacement, we’d be making the
phishing problem worse: it’s just the nature of HTTP redirect handoffs that
power foreground openid auth. (And lets not forget, the leadership has
recommended against pursuing backchannel flows of openid auth assertions)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Of course, we should ask: Are there any alternatives to SSL+PKI just
sitting there waiting for mass adoption by 2 billion consumers? <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>In terms of the perceived “brand”, do recall websso technology competitors
already know we’ve been through 3 methods now: trusted XRI resolution procedures
(reject), HXRIs (reject), HTTPS OpenID (reject?). They may even claim the community
failed to deliver on its promise of a cardspace-leveraging method too, since its
“harmonization” with a modified openid2 auth seems to have dropped off the
radar.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:
"Tahoma","sans-serif";color:windowtext'> general-bounces@openid.net
[mailto:general-bounces@openid.net] <b>On Behalf Of </b>Eddy Nigg (StartCom
Ltd.)<br>
<b>Sent:</b> Friday, December 12, 2008 2:12 AM<br>
<b>Cc:</b> general@openid.net<br>
<b>Subject:</b> Re: [OpenID] My answers to the nominee questions<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>On 12/12/2008 09:24 AM, Luke Shepard:<br>
<br>
<o:p></o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-family:"Calibri","sans-serif"'><br>
<b>Things that don’t matter: </b>OpenID as a brand. As Scott put, who cares
about the brand of SMTP? Or HTTP?. Also, some stuff is pretty minor. Like
end-to-end support of HTTPS identifiers. If it gets in the way of usability and
adoption, then it sucks. The real question is, is an HTTP identifier more
secure and usable than using an email and password. If so, then move on.</span><o:p></o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
Facebook might not care about security and if their user accounts get phished
and broken by whatever means, but the heavyweights in the computer industry
certainly do. Other corporations as well. Just heard yesterday from a
representative of one of the biggest firms out there (without disclosing names)
what their real problem is (with OpenID) and what needs to change in their
point of view in order to higher the adoption rate of relying parties
(including themselves). You bet that security is (still) one of the main
concerns. Please also note that your provider (Facebook) is only a relying
party to itself - if you really believe in what you said above than open up and
extend the trust to all possible OpenID providers.<br>
<br>
Facebook Connect? I guess it will be as relevant to WebSSO as Alta Vista is for
search today - but OpenID is intended to penetrate and influence a particular
pattern and behavior of the main stream user and his/her Internet experience.
Those were educated to enter user names and passwords for more than a decade,
it will take some time to educate them to something different. OpenID is more
than a protocol or specification - it's a spec, product and educational effort
where security can't be optional but is a way of life (the same way
you've got a lock at your house's door). Besides that, SSL/TLS isn't such a big
deal these days, it's the norm for any authentication form I think.<o:p></o:p></p>
<div>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0>
<tr>
<td colspan=2 style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>Regards <o:p></o:p></p>
</td>
</tr>
<tr>
<td colspan=2 style='padding:0in 0in 0in 0in'>
<p class=MsoNormal> <o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>Signer: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>Eddy Nigg, <a href="http://www.startcom.org">StartCom Ltd.</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>Jabber: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>Blog: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal><a href="http://blog.startcom.org">Join the Revolution!</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>Phone: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>+1.213.341.0390<o:p></o:p></p>
</td>
</tr>
<tr>
<td colspan=2 style='padding:0in 0in 0in 0in'>
<p class=MsoNormal> <o:p></o:p></p>
</td>
</tr>
</table>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</body>
</html>