<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Thinking about this more, VeriSign is going with the right security
architecture (for a de-centralized, crypto-driven web capable of enforcing local
privacy policies).We can see what is right with it, in architectural terms, by comparison
with other conceptions of the world of “controlled attribute release and
repurposing”.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>In the Shib2/SAML2 conception of the world of websso, the OP=IDP
is all powerful; second only to the masterful and typically highly-nationalistic
“federation” that SHOULD govern who MAY talk to whom(*). Though
the underlying SAML protocols support RP-centric (aka SAML SP-centred) federations
just as well as they do support idp-centric federations (particularly when
exploiting the SAML websso “affiliation” model), they are not being
widely promoted these days in websso circles.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>In OpenID and OAUTH, the world is far more centered on the view
of the user from the RP’s perspective – a world in which OAUTH-SPs
and OPs are merely supporting actors.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>In contrast to the centralized vision, in the decentralized
model the OpenID RP talks directly to users in a context of contractual privity,
with or without the bootstrapping or intermediation of an OP or an OAUTH-SP. The
several OPs and any SPs are mere “optional, redundant proxies” for
the user, doing a bit of automated assertion-minting or data-management work
for the user from a web server (vs the user’s always-on PC). When wanting
an assertion, a user-authorized RP gets one from some or other OP, as
negotiated with the user through discovery. When wanting delegation-assertions,
RPs get them from some other openid/OAUTH hybrid OP. When seeking privileges
on a data store, a given RP now leverages is delegation-assertion grant to get those
to which it is entitled …from the particular OAUTH-SP.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Now in this rp-centric world, a particular OP that happens to
operated a trusted crypto-vault service could be supporting several “affiliations”
of RPs with which the user interacts– where any one affiliation is a
particular subset of those OAUTH consumers who have each been granted a
suitable delegation-assertion that the OAUTH handshake will require - to get
either write or read privileges on the vault-managed data-records pertaining to
that affiliation.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>If we take a music player-licensing/distribution example,
I CAN see a user logging on to a “hybrid-class” myopenid OP (say),
using live.com’s non-hybrid OP or cardspace STS as an authenticator
fro the myopenid OP session. The per-user vault service of myopenid may now support
2 affiliations say – each a distinct OAUTH-SP, formally. Only RP-affiliation
members can gain privileged access to the associated crypto-compartment within
the vault ( in which Live OP as authenticator is not an affiliation member,
though myopenid’s hybrid OP is – as vault operator). Should the
user consensually release a myopenid name assertion to a particular OpenID RP store
distributing music licenses, the hybrid openid/oauth myopenid could now be
creating a suitable delegation-assertion. This would allow the music-RP to
write records (music file) to the crypto compartment of the user’s vault,
as fronted by the OAUTH-SP protocol engine that is co-resident with the OP’s
openid engine. If contributing keying material to the security of the records
stored in this depository, the writing/owning RP could be crypto-limiting (on
an end-end basis) release of plaintext version of the record – limiting the
unwrapping privilege to only those members of the particular RP affiliation
associated with the particular vault compartment to which their delegation-assertion
grant pertains (<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Multi stage DH has all the crypto one needs for these types of
point-to-multipoint topology schemes, where crypto is the writer-to-reader access
control primitive. (Lookup “KEA” in IETF documents, for more info).
In VeriSign’s case, one can see the PIP hardware token (an application of
OATH OTPs rather than securid or s/key OTPs) itself being part of the
crypto-enforcement. In that world, the authenticator crypto-token is not only
the means to confirm possession of authentication keying material pursuant to
an OP logon, but its crypto-role is also participating in the user-centric release
of records to particular rp-affiliations from the vault. This seems sensible
given the relationship of some OTP algorithms with merkle-trees, as it limits
the opportunity of OPs to go rogue on the user in releasing attributes covert
(with user consent, that is) – and thereby misuse authority.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
general-bounces@openid.net [mailto:general-bounces@openid.net] <b>On Behalf Of </b>Peter
Williams<br>
<b>Sent:</b> Friday, February 20, 2009 11:33 PM<br>
<b>To:</b> Chris Messina<br>
<b>Cc:</b> OpenID List<br>
<b>Subject:</b> Re: [OpenID] Verisign Announces Free OpenID Digital Lockbox<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>It may be conceived to be exactly what you say.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I didn’t look at the OAUTH hybrid model element of the
work -- in which presumably the OP (cum authentication authority) acts as
an OATH-SP storing not browser-uploaded photos but “just purchased
stuff” now released to the openid auth authenticated subscriber (only) by
the OAUTH-consumer=OpenID-Consumer. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Knowing VeriSign’s business model for selling TTP
services, the intent will _<i>probably</i>_ be to have the OP’s trusted
vault becomes the DRM enforcement point for the consumer site(s) selling
“content”that can be “played” on other RP sites, etc.
Finally a business model for OPs and social networks – the crypto-based
shared-policy enforcer… for n RP sites! (aka the TTP business, a la
AOL/MSN of the 1996 period!)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>It is more interesting than the typical OATH world _<i>because</i>_
the OAUTH-Consumer is exploiting the security handshake to get for the OATH-RP
write privileges (on the trusted vault) and get perhaps even participation in
the keying of the RP-property deposited material within said vault., where the
shared keying controls -- DRM-like – control data-release to other RPs.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Peter.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Chris Messina
[mailto:chris.messina@gmail.com] <br>
<b>Sent:</b> Friday, February 20, 2009 9:28 PM<br>
<b>To:</b> Peter Williams<br>
<b>Cc:</b> Andrew Arnott; OpenID List<br>
<b>Subject:</b> Re: [OpenID] Verisign Announces Free OpenID Digital Lockbox<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Personally, I'm interested in, at least in terms of how I
read it, which may not be at all what this thing is, is a storage-in-the-cloud
discovered off of your OpenID.<o:p></o:p></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>For example, I sign in to Amazon.com with my OpenID, it
discovers my "Lockbox" or "Digitial Locker", I do the
hybrid dance so that Amazon can dump stuff into my Lockbox, and then whenever I
purchase MP3s or hardware that come with digital manuals, Amazon just passes
the data directly to my Lockbox.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>No need for me to download/save to my local machine.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>If that's not what this is, then, oh well.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'>Chris<o:p></o:p></p>
<div>
<p class=MsoNormal>On Fri, Feb 20, 2009 at 12:10 PM, Peter Williams <<a
href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p><span style='font-size:11.0pt;color:#1F497D'>So it's a proprietary initial
login to an OP (that happens to do some encrypted file store stuff, possibly
leveraging the proprietary token for key management). This seems useful, if
yuou think that store holding the same kind of consent/audit/release logs that
myopenid keeps around (tracling/tracing your communications with RPs)</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>Once you have a session, it
happens to offer openid assertions to SPs.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>The behavior seems similar to
the Google BlogSpot service, where you had to first login to BlogSpot
using google proprietary means, and only then could you leave an authenticated
comment on the blogspot site using some (or other ) OP. In reality Google was
tracking your comment using the proprietary means, but one was present in
the OP name to comment readers.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p><b><span style='font-size:10.0pt'>From:</span></b><span style='font-size:
10.0pt'> <a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>
[mailto:<a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>]
<b>On Behalf Of </b>Andrew Arnott<br>
<b>Sent:</b> Friday, February 20, 2009 11:08 AM<br>
<b>To:</b> Chris Messina<br>
<b>Cc:</b> DiSo Project; OpenID List<br>
<b>Subject:</b> Re: [OpenID] Verisign Announces Free OpenID Digital Lockbox</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p> <o:p></o:p></p>
<p style='margin-bottom:12.0pt'>Sorry... this doesn't seem like OpenID
authentication to me. Verisign only lets you log into the vault using
your PIP account, which although PIP is an OpenID Provider, means that OpenID
has nothing to do with your authentication experience. You can't use any
openid to log in -- you just log in with your PIP username and password, and a
hardware credential that costs at least $30 to boot.<br clear=all>
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<o:p></o:p></p>
<div>
<p>On Fri, Feb 20, 2009 at 10:57 AM, Chris Messina <<a
href="mailto:chris.messina@gmail.com" target="_blank">chris.messina@gmail.com</a>>
wrote:<o:p></o:p></p>
<p>I find this very interesting:<o:p></o:p></p>
<div>
<p> <o:p></o:p></p>
</div>
<div>
<p><a href="http://infosecurity.us/?p=6437" target="_blank">http://infosecurity.us/?p=6437</a><o:p></o:p></p>
</div>
<div>
<p><a
href="http://blogs.verisign.com/innovation/2009/02/pip_update_a_free_secure_digit.php"
target="_blank">http://blogs.verisign.com/innovation/2009/02/pip_update_a_free_secure_digit.php</a><o:p></o:p></p>
</div>
<div>
<p> <o:p></o:p></p>
</div>
<div>
<p>It's how it works over OpenID that is most compelling (though this is really
just the OpenID + OAuth hybrid, minus OAuth):<o:p></o:p></p>
</div>
<div>
<p> <o:p></o:p></p>
</div>
<div>
<p><u><span style='color:#0000EE'><a
href="http://infosecurity.us/images/openid_protocol.png" target="_blank">http://infosecurity.us/images/openid_protocol.png</a></span></u><o:p></o:p></p>
</div>
<div>
<p> <o:p></o:p></p>
</div>
<p>So basically it's like MobileMe attached to your OpenID, with the ability to
provide delegated access!<o:p></o:p></p>
<div>
<p> <o:p></o:p></p>
</div>
<div>
<p>Thoughts?<o:p></o:p></p>
</div>
<div>
<p><br>
Chris<br>
-- <br>
Chris Messina<br>
Citizen-Participant &<br>
Open Web Advocate-at-Large<br>
<br>
<a href="http://factoryjoe.com" target="_blank">factoryjoe.com</a> # <a
href="http://diso-project.org" target="_blank">diso-project.org</a><br>
<a href="http://citizenagency.com" target="_blank">citizenagency.com</a> # <a
href="http://vidoop.com" target="_blank">vidoop.com</a><br>
This email is: [ ] bloggable [X] ask first [ ]
private<o:p></o:p></p>
</div>
<p style='margin-bottom:12.0pt'><br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><o:p></o:p></p>
</div>
<p> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
<p class=MsoNormal><br>
<br clear=all>
<br>
-- <br>
Chris Messina<br>
Citizen-Participant &<br>
Open Web Advocate-at-Large<br>
<br>
<a href="http://factoryjoe.com">factoryjoe.com</a> # <a
href="http://diso-project.org">diso-project.org</a><br>
<a href="http://citizenagency.com">citizenagency.com</a> # <a
href="http://vidoop.com">vidoop.com</a><br>
This email is: [ ] bloggable [X] ask first [ ]
private<o:p></o:p></p>
</div>
</div>
</div>
</div>
</body>
</html>