<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.apple-style-span
{mso-style-name:apple-style-span;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<div style='mso-element:para-border-div;border:none;border-bottom:solid windowtext 1.0pt;
padding:0in 0in 1.0pt 0in'>
<p class=MsoNormal style='border:none;padding:0in'><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'>Delete now. I hope
these issues are being addressed in the spec council more formally – over
the CX proposal’s general contribution to similar problems faced by
deployers (vs. library writers).<o:p></o:p></span></p>
<p class=MsoNormal style='border:none;padding:0in'><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p>
</div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>What is the problem with the status quo in OpenID culture?<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>The fundamental problem is: I, an association of users, want to
run my own CA (like Eddy does, too). Since openid is about UCI and not “e-commerce”,
the practices that have evolved for PKI/https in e-commerce do not automatically
roll over. Pretend its 1994 again, and there are 2000 ISPs all running
100 modem multiplexors and then a few servers doing website hosting. Isn’t
this the OP vision? (That ISP model is how US realty is organized and governed.)
Or are we just here to induce 6B people to sign up to the mega-powerful US
firms: Google, Yahoo, AOL, Live, VeriSign, SixApart (or their Japan/China/Korea
subsidiaries)? In the US realty case, that equates to removing the power of
membership from towns, and centralizing in the national realtor association. Is
this truely the end goal of this movement? (Nate observes that this seems
an inevitability.)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>The secondary problem: I the user of a vanity domain for Openid typically
cannot sign up to the legal agreements the typical CAs impose (They typically impose
projection of copyrights that open source software folks object to “on
principle”). I typically also lose independence in my risk
management, given the way the timely material disclosure rules are written. This
loss of independence exists to satisfy the CA’s insurer, and buys me actually
nothing; but I lose a lot since the insurer (with whom I have no relationship) can
impact my communications capabilities with others, at their whim. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>The third problem: If I’m a user with a vanity blogsite/XRI
doing openid delegation and even if *<b>I</b>* find it suitable to ascribe to
those CA rule of the blogsite/HXRI-proxy, I’m imposing the governance
rules of the CAs on all other (cert) using/relying parties coming to my vanity
URL – including the copyright notices. That is I’m projecting the
governance of a TTP (which is not even the OP!) onto the RPs. I don’t want
to do that. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Those 3 are all un-UCI. All we did was move from Facebook
rules on contact sharing and Aol rules on IM interworking… to CA rules. All
we did was shunt the rule making about user governance around the corner to the
next infrastructure player. It’s still not in the user’s
court (once the secure modes of openid are applied).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>The point about the Microsoft rules is that they won’t (and
don’t) put in their WindowsUpdate root distribute list just any CA: they
only put folks who have a broad business value to Microsoft. From what Eddy
tells me, his CA is not recognized by Windows or Nerdbank therefore (albeit for
other reasons that may be going away). That is, Microsoft has a measure of controls
over Eddy’s ability to run a vanity https openid domain service. At any
time, the CA can also disappear from the root list, en masse, at the next patch
update cycle. If I am an running a private supply chain, with 3000 nodes, I
cannot have my $15 CA suddenly stop the VoATM call setup communications between
the 3000 H323 call agents just because Microsoft doesn’t like the elements
of the CA’s policy statement, any longer. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>What we surely want for openid discovery is what we have on the
web, today. I buy a $50 wifi router from the supermarket along with the bread
and milk, turn on its https administration website, import the root on the desktops
of the authorized folk who will administer it , then lower the policing level that
thence allows https access to the control plane through designated (virtual) interfaces
– which is probably means the WAN-side of the NAT in a $50 router.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Now, sites like nerdband HAVE ALREADY shown that openid culture CAN
support a bread and milk culture, making it even easier than before to “securely”
distribute that CA (self-signed) cert to my own, per user OP->RP trust network.
<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Even though nerdbank (i.e. or its actual policy authority,
called TTP=GoDaddy) will not work with my vanity URL choice or with eddy’s
CA service (that Mozilla accepts but MSFT doesnt, apparently), it will work
with the myopenid (and whichever policy authority is governing MyOpenID’s
https communications.) Since openid is ”secure” , Nerdbank now has
the configuration power to know talk to my vanity openid site over https (if
it wants to). Obviously, that config can be automatic, or not (depending on the
risk model and policies of NerdBank. But at least openid trust is in the hands
of opendnd entities (NerdBank) - with no normative role.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Andrew Arnott
[mailto:andrewarnott@gmail.com] <br>
<b>Sent:</b> Saturday, January 03, 2009 7:08 AM<br>
<b>To:</b> Peter Williams<br>
<b>Cc:</b> Jorgen Thelin; Eddy Nigg (StartCom Ltd.); general@openid.net
>> general@openid.net<br>
<b>Subject:</b> Re: [OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP
implementations)<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>On Sat, Jan 3, 2009 at 4:39 AM, Peter Williams <<a
href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p><span class=apple-style-span><span style='font-size:8.5pt'>In UCI, the user
(all 6 billion of us) decide which OP is good, which CA is good - not Microsoft
business analysts.</span></span><o:p></o:p></p>
</div>
</div>
<div>
<p class=MsoNormal>Peter,<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>Microsoft leaves all 6 billion of us to choose which CAs are
good. Every Windows OS admin has the freedom to manipulate the list of
trusted CAs. But as with any UCI design, that means that each of those 6B
people may have a unique set, and you'll never know for sure whether you cert
is signed by a CA that a random one of those 6B choose to trust.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>I'm not sure how we got off on EV certs. You
absolutely don't need EV certs to make sure that some random RP will definitely
accept the cert. There are several CAs out there that 99.9% of the
browsers and RPs out there trust and they're often quite inexpensive.
What problem am I missing?<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'>--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<br>
<br>
<o:p></o:p></p>
<div>
<p class=MsoNormal>On Sat, Jan 3, 2009 at 4:39 AM, Peter Williams <<a
href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p><span style='font-size:8.0pt'>"CAs who fail to meet the burden of proof
for the broad business value of their offering to Microsoft customers."</span><o:p></o:p></p>
<p><span style='font-size:8.0pt'> </span><o:p></o:p></p>
<p><span style='font-size:8.0pt'>The program listed fails UCI test.</span><o:p></o:p></p>
<p><span style='font-size:8.0pt'> </span><o:p></o:p></p>
<p><span style='font-size:8.0pt'>In UCI, the user (all 6 billion of us) decide
which OP is good, which CA is good - not Microsoft business analysts.</span><o:p></o:p></p>
<p><span style='font-size:8.0pt'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p><b><span style='font-size:10.0pt'>From:</span></b><span style='font-size:
10.0pt'> <a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>
[mailto:<a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>]
<b>On Behalf Of </b>Jorgen Thelin<br>
<b>Sent:</b> Friday, January 02, 2009 7:13 PM<br>
<b>To:</b> Eddy Nigg (StartCom Ltd.); <a href="mailto:general@openid.net"
target="_blank">general@openid.net</a> >> "<a
href="mailto:general@openid.net" target="_blank">general@openid.net</a>"<o:p></o:p></span></p>
<div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt'><br>
<b>Subject:</b> Re: [OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP
implementations)<o:p></o:p></span></p>
</div>
</div>
</div>
</div>
<div>
<div>
<p> <o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>While considering these issues,
you guys may be interested to see the details of the Microsoft Root Certificate
Program.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p style='text-indent:.5in'><span style='font-size:11.0pt;color:#1F497D'><a
href="http://technet.microsoft.com/en-us/library/cc751157.aspx" target="_blank">http://technet.microsoft.com/en-us/library/cc751157.aspx</a></span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>The Microsoft Root Program
lists the details and requirements for the Microsoft Root Certificate Program.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>The MS Root Program attempts to
establish a minimum baseline for PKI-based security -- to at least warn Windows
/ IE users before that make some obviously bad decisions around SSL trust
– such as warning users before they access sites that use certificates
with known weak hash algorithms.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>You can see the technical
requirements for CAs in the above document that are used by any browsers
running on Windows.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> "Identity is easy,
but Trust is hard!"</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p><b><span style='font-size:10.0pt'>From:</span></b><span style='font-size:
10.0pt'> <a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>
[mailto:<a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>]
<b>On Behalf Of </b>Eddy Nigg (StartCom Ltd.)<br>
<b>Sent:</b> Friday, January 02, 2009 2:01 PM<br>
<b>To:</b> <a href="mailto:general@openid.net" target="_blank">general@openid.net</a>
>> "<a href="mailto:general@openid.net" target="_blank">general@openid.net</a>"<br>
<b>Subject:</b> Re: [OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP
implementations)</span><o:p></o:p></p>
</div>
</div>
<p> <o:p></o:p></p>
<p>On 01/02/2009 10:45 PM, Martin Paljak: <o:p></o:p></p>
<p style='margin-bottom:12.0pt'>On 02.01.2009, at 15:16, Eddy Nigg (StartCom
Ltd.) wrote:<o:p></o:p></p>
<p>Martin, failures and disclosing them serves the purpose to improve and
prevent them. I'm responsible for disclosing one of the listed above, which
however doesn't mean that public certification is a total failure. It speaks
rather for the dedication and also the ability of the industry to control and
improve itself. <o:p></o:p></p>
<p style='margin-bottom:12.0pt'>Of course disclosure is good. But as you have
interests in one CA I have to take your opinion as probably biased ;) <o:p></o:p></p>
<p style='margin-bottom:12.0pt'><br>
Right! And as such I have an interest that my work isn't de-valued by other
CAs. Such is the interest of many CAs and hence there is a real interest that
we (CAs) are able to upheld the promises we make as a collective. That's why
incidents such as I reported are extremely bad and must not happen. I'm active
in different forums out of my biased interest to make and keep PKI reliable.<br>
<br>
Disclaimer: Mistakes can happen, negligence must not however.<o:p></o:p></p>
<p><br>
"Nothing to see here, move along, EV fixes everything". Yes -
technically, within the boundaries set by the established CA business, everything
is OK and will be even better with EV. But I try to question the existing,
current approach of CA-s doing business under the name "trust
business". CA-s should deal with certification and users should be dealing
with trust issues and decisions. PKI as we know it now is not an implementation
I like as a (loud minority) user. <o:p></o:p></p>
<p style='margin-bottom:12.0pt'><br>
Well, the minority of the Netizens have the ability to make the decisions you
like them to make. I'm not sure about you, but how many CP/CPS of CAs have you
read recently before making a decision if to trust?<o:p></o:p></p>
<p style='margin-bottom:12.0pt'>Good question. As "you can do anything
with OpenID" I believe it is left open - you can do whatever if you want
if you consider it useful. <o:p></o:p></p>
<p style='margin-bottom:12.0pt'>Sure, that's why we are here, aren't we? :-)<o:p></o:p></p>
<div>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0>
<tr>
<td colspan=2 style='padding:0in 0in 0in 0in'>
<p>Regards <o:p></o:p></p>
</td>
</tr>
<tr>
<td colspan=2 style='padding:0in 0in 0in 0in'>
<p> <o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p>Signer: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p>Eddy Nigg, <a href="http://www.startcom.org" target="_blank">StartCom Ltd.</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p>Jabber: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p>startcom@startcom.org<o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p>Blog: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p><a href="http://blog.startcom.org" target="_blank">Join the Revolution!</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p>Phone: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p>+1.213.341.0390<o:p></o:p></p>
</td>
</tr>
<tr>
<td colspan=2 style='padding:0in 0in 0in 0in'>
<p> <o:p></o:p></p>
</td>
</tr>
</table>
<p> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><o:p></o:p></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</body>
</html>