<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=utf-8">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=white lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:"Verdana","sans-serif"'>“CAs
who fail to meet the burden of proof for the broad business value of their
offering to Microsoft customers.”<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:"Verdana","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:"Verdana","sans-serif"'>The
program listed fails UCI test.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:"Verdana","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:"Verdana","sans-serif"'>In
UCI, the user (all 6 billion of us) decide which OP is good, which CA is good -
not Microsoft business analysts.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:"Verdana","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:
"Tahoma","sans-serif";color:windowtext'> general-bounces@openid.net
[mailto:general-bounces@openid.net] <b>On Behalf Of </b>Jorgen Thelin<br>
<b>Sent:</b> Friday, January 02, 2009 7:13 PM<br>
<b>To:</b> Eddy Nigg (StartCom Ltd.); general@openid.net >>
"general@openid.net"<br>
<b>Subject:</b> Re: [OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP
implementations)<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>While considering these issues, you guys may be interested to
see the details of the Microsoft Root Certificate Program.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal style='text-indent:.5in'><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'><a
href="http://technet.microsoft.com/en-us/library/cc751157.aspx">http://technet.microsoft.com/en-us/library/cc751157.aspx</a><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>The Microsoft Root Program lists the details and requirements
for the Microsoft Root Certificate Program.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>The MS Root Program attempts to establish a minimum baseline for
PKI-based security -- to at least warn Windows / IE users before that make some
obviously bad decisions around SSL trust – such as warning users before they
access sites that use certificates with known weak hash algorithms.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>You can see the technical requirements for CAs in the above
document that are used by any browsers running on Windows.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> “Identity is easy, but Trust is hard!”<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:
"Tahoma","sans-serif";color:windowtext'> general-bounces@openid.net
[mailto:general-bounces@openid.net] <b>On Behalf Of </b>Eddy Nigg (StartCom
Ltd.)<br>
<b>Sent:</b> Friday, January 02, 2009 2:01 PM<br>
<b>To:</b> general@openid.net >> "general@openid.net"<br>
<b>Subject:</b> Re: [OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP
implementations)<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>On 01/02/2009 10:45 PM, Martin Paljak: <o:p></o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'>On 02.01.2009, at 15:16, Eddy
Nigg (StartCom Ltd.) wrote:<o:p></o:p></p>
<p class=MsoNormal>Martin, failures and disclosing them serves the purpose to
improve and prevent them. I'm responsible for disclosing one of the listed
above, which however doesn't mean that public certification is a total failure.
It speaks rather for the dedication and also the ability of the industry to
control and improve itself. <o:p></o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'>Of course disclosure is good.
But as you have interests in one CA I have to take your opinion as probably
biased ;) <o:p></o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
Right! And as such I have an interest that my work isn't de-valued by other
CAs. Such is the interest of many CAs and hence there is a real interest that
we (CAs) are able to upheld the promises we make as a collective. That's why
incidents such as I reported are extremely bad and must not happen. I'm active
in different forums out of my biased interest to make and keep PKI reliable.<br>
<br>
Disclaimer: Mistakes can happen, negligence must not however.<br>
<br>
<o:p></o:p></p>
<p class=MsoNormal><br>
"Nothing to see here, move along, EV fixes everything". Yes -
technically, within the boundaries set by the established CA business,
everything is OK and will be even better with EV. But I try to question the
existing, current approach of CA-s doing business under the name "trust
business". CA-s should deal with certification and users should be dealing
with trust issues and decisions. PKI as we know it now is not an implementation
I like as a (loud minority) user. <o:p></o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
Well, the minority of the Netizens have the ability to make the decisions you
like them to make. I'm not sure about you, but how many CP/CPS of CAs have you
read recently before making a decision if to trust?<br>
<br>
<o:p></o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'>Good question. As "you can
do anything with OpenID" I believe it is left open - you can do whatever
if you want if you consider it useful. <o:p></o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'>Sure, that's why we are here,
aren't we? :-)<o:p></o:p></p>
<div>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0>
<tr>
<td colspan=2 style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>Regards <o:p></o:p></p>
</td>
</tr>
<tr>
<td colspan=2 style='padding:0in 0in 0in 0in'>
<p class=MsoNormal> <o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>Signer: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>Eddy Nigg, <a href="http://www.startcom.org">StartCom Ltd.</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>Jabber: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>Blog: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal><a href="http://blog.startcom.org">Join the Revolution!</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>Phone: <o:p></o:p></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal>+1.213.341.0390<o:p></o:p></p>
</td>
</tr>
<tr>
<td colspan=2 style='padding:0in 0in 0in 0in'>
<p class=MsoNormal> <o:p></o:p></p>
</td>
</tr>
</table>
<p class=MsoNormal><span style='color:windowtext'><o:p> </o:p></span></p>
</div>
</div>
</div>
</body>
</html>