<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:D="DAV:" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:-webkit-monospace;
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.apple-style-span
{mso-style-name:apple-style-span;}
span.apple-tab-span
{mso-style-name:apple-tab-span;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple style='word-wrap: break-word;
-webkit-nbsp-mode: space;-webkit-line-break: after-white-space'>
<div class=Section1>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:#1F497D'><o:p> </o:p></span></b></p>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:#1F497D'><o:p> </o:p></span></b></p>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:#1F497D'>The test today should be, merely: is there some mechanism
provided by the RP which enables a user with an RP session to register the CA
certs of the OPs s/he uses. Yes, I recognize that – to be keep things
ultra contained for the openid “library-centric” programming culture
– a user may need to use first the rendezvous-point of a megaOP to access
the RP via openid, over which channel one then performs the act of CA/CTL registration.
<o:p></o:p></span></b></p>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:#1F497D'><o:p> </o:p></span></b></p>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:#1F497D'>“Bootstrapping” discovery schemes and Rendezvous-point
mapping directories are well understood topics, in the multicast key management
world. They enable source-based multicast routing trees to cooperate with a
sparse domain of consumers. If openid can just adopt the abstract model of a
bootstrap, we will have found the initial crack in the 80:20 rule armor on the
topic - through which openid will later be able to further evolve – and later
properly exploit with internet-centric discovery protocols that are part of the
internet security architecture.<o:p></o:p></span></b></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
</div>
<div>
<p class=MsoNormal>I think people should be allowed to provide there
own service and take there own risks if they are informed. <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>However there is never guarantee that any ID will
be accepted at every RP.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>For you and Shade I have added an OSIS test for RPs
accepting CA Cert certificates.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>This is a bit of an odd test, in that I honestly don't know
if accepting the cert is pass or fail.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>I think what to do should be left up to the RPs
policy. <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>In any event there is now a test that people can run to
check what a RP is accepting.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><a href="https://test-id.org/RP/CACert.aspx">https://test-id.org/RP/CACert.aspx</a><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Regards<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>John Bradley<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<div>
<div>
<p class=MsoNormal>On 17-Mar-09, at 3:01 PM, <a
href="mailto:general-request@openid.net">general-request@openid.net</a> wrote:<o:p></o:p></p>
</div>
<p class=MsoNormal><br>
<br>
<o:p></o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><span class=apple-style-span><span
style='font-size:7.5pt;font-family:"-webkit-monospace","serif";color:black'>Date:
Tue, 17 Mar 2009 15:01:20 -0700</span></span><span style='font-size:7.5pt;
font-family:"-webkit-monospace","serif";color:black'><br>
<span class=apple-style-span>From: Peter Williams <<a
href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>></span><br>
<span class=apple-style-span>Subject: Re: [OpenID] Backwards Compatibility</span><br>
<span class=apple-style-span>To: Andrew Arnott <<a
href="mailto:andrewarnott@gmail.com">andrewarnott@gmail.com</a>>, Allen Tom</span><br>
<span class=apple-tab-span> </span><span
class=apple-style-span><<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>></span><br>
<span class=apple-style-span>Cc: "<a href="mailto:general@openid.net">general@openid.net</a>"
<<a href="mailto:general@openid.net">general@openid.net</a>></span><br>
<span class=apple-style-span>Message-ID:</span><br>
<span class=apple-tab-span> </span><span
class=apple-style-span><<a
href="mailto:BFBC0F17A99938458360C863B716FE46398DCA858A@simmbox01.rapnt.com">BFBC0F17A99938458360C863B716FE46398DCA858A@simmbox01.rapnt.com</a>></span><br>
<span class=apple-style-span>Content-Type: text/plain;
charset="us-ascii"</span><br>
<br>
<span class=apple-style-span>Hmm. Now I object.</span><br>
<br>
<span class=apple-style-span>That presupposes (yet again) that only well known
OPs are of any consequence.</span><br>
<br>
<span class=apple-style-span>What SSL taught us is that what really matters is
the a half billion SSL domains that hardly anyone knows about (they are almost
all wifi routers, with a self-signed cert for https admin)</span><br>
<br>
<span class=apple-style-span>All depends on what the mission of openid is. 10
giant megaOPs, or the little guy (of which there are a lot).</span></span><o:p></o:p></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</div>
</body>
</html>