<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>It may be conceived to be exactly what you say.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I didn’t look at the OAUTH hybrid model element of the
work -- in which presumably the OP (cum authentication authority) acts as
an OATH-SP storing not browser-uploaded photos but “just purchased stuff”
now released to the openid auth authenticated subscriber (only) by the OAUTH-consumer=OpenID-Consumer.
<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Knowing VeriSign’s business model for selling TTP services,
the intent will _<i>probably</i>_ be to have the OP’s trusted vault
becomes the DRM enforcement point for the consumer site(s) selling “content”that
can be “played” on other RP sites, etc. Finally a business model
for OPs and social networks – the crypto-based shared-policy enforcer…
for n RP sites! (aka the TTP business, a la AOL/MSN of the 1996 period!)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>It is more interesting than the typical OATH world _<i>because</i>_
the OAUTH-Consumer is exploiting the security handshake to get for the OATH-RP write
privileges (on the trusted vault) and get perhaps even participation in the
keying of the RP-property deposited material within said vault., where the
shared keying controls -- DRM-like – control data-release to other RPs.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Peter.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Chris Messina
[mailto:chris.messina@gmail.com] <br>
<b>Sent:</b> Friday, February 20, 2009 9:28 PM<br>
<b>To:</b> Peter Williams<br>
<b>Cc:</b> Andrew Arnott; OpenID List<br>
<b>Subject:</b> Re: [OpenID] Verisign Announces Free OpenID Digital Lockbox<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Personally, I'm interested in, at least in terms of how I
read it, which may not be at all what this thing is, is a storage-in-the-cloud
discovered off of your OpenID.<o:p></o:p></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>For example, I sign in to Amazon.com with my OpenID, it
discovers my "Lockbox" or "Digitial Locker", I do the
hybrid dance so that Amazon can dump stuff into my Lockbox, and then whenever I
purchase MP3s or hardware that come with digital manuals, Amazon just passes
the data directly to my Lockbox.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>No need for me to download/save to my local machine.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>If that's not what this is, then, oh well.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'>Chris<o:p></o:p></p>
<div>
<p class=MsoNormal>On Fri, Feb 20, 2009 at 12:10 PM, Peter Williams <<a
href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p><span style='font-size:11.0pt;color:#1F497D'>So it's a proprietary initial
login to an OP (that happens to do some encrypted file store stuff, possibly
leveraging the proprietary token for key management). This seems useful, if
yuou think that store holding the same kind of consent/audit/release logs that
myopenid keeps around (tracling/tracing your communications with RPs)</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>Once you have a session, it
happens to offer openid assertions to SPs.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>The behavior seems similar to
the Google BlogSpot service, where you had to first login to BlogSpot
using google proprietary means, and only then could you leave an authenticated
comment on the blogspot site using some (or other ) OP. In reality Google was
tracking your comment using the proprietary means, but one was present in
the OP name to comment readers.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p><b><span style='font-size:10.0pt'>From:</span></b><span style='font-size:
10.0pt'> <a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>
[mailto:<a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>]
<b>On Behalf Of </b>Andrew Arnott<br>
<b>Sent:</b> Friday, February 20, 2009 11:08 AM<br>
<b>To:</b> Chris Messina<br>
<b>Cc:</b> DiSo Project; OpenID List<br>
<b>Subject:</b> Re: [OpenID] Verisign Announces Free OpenID Digital Lockbox</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p> <o:p></o:p></p>
<p style='margin-bottom:12.0pt'>Sorry... this doesn't seem like OpenID
authentication to me. Verisign only lets you log into the vault using
your PIP account, which although PIP is an OpenID Provider, means that OpenID
has nothing to do with your authentication experience. You can't use any
openid to log in -- you just log in with your PIP username and password, and a
hardware credential that costs at least $30 to boot.<br clear=all>
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<o:p></o:p></p>
<div>
<p>On Fri, Feb 20, 2009 at 10:57 AM, Chris Messina <<a
href="mailto:chris.messina@gmail.com" target="_blank">chris.messina@gmail.com</a>>
wrote:<o:p></o:p></p>
<p>I find this very interesting:<o:p></o:p></p>
<div>
<p> <o:p></o:p></p>
</div>
<div>
<p><a href="http://infosecurity.us/?p=6437" target="_blank">http://infosecurity.us/?p=6437</a><o:p></o:p></p>
</div>
<div>
<p><a
href="http://blogs.verisign.com/innovation/2009/02/pip_update_a_free_secure_digit.php"
target="_blank">http://blogs.verisign.com/innovation/2009/02/pip_update_a_free_secure_digit.php</a><o:p></o:p></p>
</div>
<div>
<p> <o:p></o:p></p>
</div>
<div>
<p>It's how it works over OpenID that is most compelling (though this is really
just the OpenID + OAuth hybrid, minus OAuth):<o:p></o:p></p>
</div>
<div>
<p> <o:p></o:p></p>
</div>
<div>
<p><u><span style='color:#0000EE'><a
href="http://infosecurity.us/images/openid_protocol.png" target="_blank">http://infosecurity.us/images/openid_protocol.png</a></span></u><o:p></o:p></p>
</div>
<div>
<p> <o:p></o:p></p>
</div>
<p>So basically it's like MobileMe attached to your OpenID, with the ability to
provide delegated access!<o:p></o:p></p>
<div>
<p> <o:p></o:p></p>
</div>
<div>
<p>Thoughts?<o:p></o:p></p>
</div>
<div>
<p><br>
Chris<br>
-- <br>
Chris Messina<br>
Citizen-Participant &<br>
Open Web Advocate-at-Large<br>
<br>
<a href="http://factoryjoe.com" target="_blank">factoryjoe.com</a> # <a
href="http://diso-project.org" target="_blank">diso-project.org</a><br>
<a href="http://citizenagency.com" target="_blank">citizenagency.com</a> # <a
href="http://vidoop.com" target="_blank">vidoop.com</a><br>
This email is: [ ] bloggable [X] ask first [ ]
private<o:p></o:p></p>
</div>
<p style='margin-bottom:12.0pt'><br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><o:p></o:p></p>
</div>
<p> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
<p class=MsoNormal><br>
<br clear=all>
<br>
-- <br>
Chris Messina<br>
Citizen-Participant &<br>
Open Web Advocate-at-Large<br>
<br>
<a href="http://factoryjoe.com">factoryjoe.com</a> # <a
href="http://diso-project.org">diso-project.org</a><br>
<a href="http://citizenagency.com">citizenagency.com</a> # <a
href="http://vidoop.com">vidoop.com</a><br>
This email is: [ ] bloggable [X] ask first [ ]
private<o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>