<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Kids,</div><div><br></div><div>The GSA is producing a profile of standards.</div><div><br></div><div>OpenID 2.0, PAPE and AX are the only standards. </div><div><br></div><div>Surprisingly SREG 1.1 is not a standard (I guess we just forgot in our enthusiasm for AX)</div><div><br></div><div>The last thing the GSA wants (as I understand it) is to create new specs and impose them on the community. This includes picking winners and losers in proposed extensions.</div><div><br></div><div>The GSA has not said that openID can never be LoA 2+ , only that given the existing specs available to profile it doesn't meet the criteria of SP800-63 for LoA 2.</div><div><br></div><div>The protocol MUST prevent assertion disclosure at LoA 2. </div><div>That is the main roadblock.</div><div><br></div><div>Other protocols encrypt the assertion to the RP or use a direct SSL connection (artifact binding)</div><div><br></div><div>It is a tradeoff that openID community needs to consider carefully, security can be increased to meet LoA 2 but it will be at the cost of increased complexity.</div><div><br></div><div>It may not be a good bargain. That however is a decision for the community to make and not the GSA or any other government.</div><div><br></div><div>I don't believe that CX addresses this issue, it is intended to solve a different trust problem.</div><div><br></div><div>Nat and I have discussed this.</div><div><br></div><div>If there is a extension to openID or changes to the core spec that allow openID to be profiled at LoA 2+ then the GSA or whoever can revisit the profile.</div><div><br></div><div>These things are not cast in stone.</div><div><br></div><div>Some of the things in the TFAP are a challenge the Shibboleth community as well.</div><div><br></div><div>If a bank wants to send your unencrypted data through a browser as a redirect, good for them. </div><div><br></div><div>The GSA and OMB have to live within SP800-63, and given that I think the decision to profile openID for LoA 1 while the community sort out where it wants to go is reasonable.</div><div><br></div><div>My opinions are my own as always, and not representative of any government or organization.</div><div><br></div><div>Take a deep breath, relax it is all good.</div><div><br></div><div>John B.</div><div><br><blockquote type="cite"><div><font class="Apple-style-span" color="#000000"><br></font>Message: 5<br>Date: Wed, 12 Aug 2009 12:25:45 -0700<br>From: Peter Williams <<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>><br>Subject: Re: [OpenID] OpenID + Government<br>To: Paul Madsen <<a href="mailto:paulmadsen@rogers.com">paulmadsen@rogers.com</a>><br>Cc: "<a href="mailto:openid-general@lists.openid.net">openid-general@lists.openid.net</a>"<br><span class="Apple-tab-span" style="white-space:pre"> </span><<a href="mailto:openid-general@lists.openid.net">openid-general@lists.openid.net</a>><br>Message-ID: <<a href="mailto:73608B74-40FB-419E-A4A5-94C8F0C9673B@rapattoni.com">73608B74-40FB-419E-A4A5-94C8F0C9673B@rapattoni.com</a>><br>Content-Type: text/plain; charset="us-ascii"<br><br>Ok!<br><br>So you did what myspace did: took the defined extension points and<br>added value . They discarded the dh handshake, and use a vendor<br>specific association protocol (apparently). Better strength and<br>assurance hopefully... falling back to default (low) assurance ...<br>when no better option can be found.<br><br>In your case, I'll guess in the endpoint xrd that you advertise - per<br>the model -additional extension handler names, so adding value via the<br>extension framework. Presumably this offers something suiting banking<br>frauds to only those endpoints wanting to rely on xri resolution ...<br>for capability negotiation and address selection (which is the more<br>openid way of doing things).<br><br>This is all just like ssl, now, where folks up negotiate higher<br>strength mechanisms and higher level operational assurances.<br><br>But look at the difference In my tone and characterization, when<br>discussing the assurance space.<br><br>Let's tell the ssl story using a divisive characterization of<br>assurances, now:<br><br>Oh my god, netscapes 40bit rc4 ciphersuite with crappy pertabators in<br>the kdf (broken by a French student) and verisign class 1 client certs<br>means ALL of ssl3 is low assurance. Look! GSA confirms it. It's a<br>fact! Folks must now switch to IPsec, for >loa1 assurance level when<br>tunelling!<br><br>No. Thats not how it was handled. Nsa/Dod comes along, puts in a missi<br>ciphersuite, adjusts the handshake flow so missi-style key agreement<br>can share the record layer with rsa handshakes, and dod office systems<br>get all the additional strength of missi ciphers and missi assurances<br>when talking amongst themselves (now featuring monthly changing user<br>keying material, key comprise handling, flash authority removal,<br>remote cac applet provisioning on gp smartcards...). They can still<br>interwork with public sites using rsa, at low assurance, however.<br><br>(I'm showing my out of dateness In federal systems. By now, missi will<br>have been renamed 6 times...)<br><br>What we want is Strong, professional security engineering, based on cc<br>claims, STD protection profiles, evaluated cryptomodules, even formal<br>methods proving the info flow properties of the strong type system,...<br>And in grassroots centric openid, We want that all to be developed in<br>and shown by common or garden programmers, not just defense<br>contractors working for GSA-affiliated .gov sites<br><br><br><br><br><br><br><br><br>On Aug 12, 2009, at 8:37 AM, "Paul Madsen" <<a href="mailto:paulmadsen@rogers.com">paulmadsen@rogers.com</a>><br>wrote:<br><br><blockquote type="cite">As you acknowledge ('custom extension albeit'), the application you<br></blockquote><blockquote type="cite">are<br></blockquote><blockquote type="cite">referring to supplemented OpenID's own security in order to meet the<br></blockquote><blockquote type="cite">higher assurance requirements.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">With the standardization of that 'custom extension' continuing to<br></blockquote><blockquote type="cite">progress in the OpenID community, perhaps the GSA will in the future<br></blockquote><blockquote type="cite">reevaluate whether the combination can support higher assurance?<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">The GSA have said (or will say soon I guess) only that OpenID 2.0, as<br></blockquote><blockquote type="cite">profiled, tops out at LOA1 (for US Gov RPs). The profile doeesnt<br></blockquote><blockquote type="cite">mention<br></blockquote><blockquote type="cite"> (I think at least, I havent read it) CX or any other extensions that<br></blockquote><blockquote type="cite">might supplement assurance.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">paul<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">p.s. I believe I am as suspicious of the realty industry as you are of<br></blockquote><blockquote type="cite">Liberty<br></blockquote><blockquote type="cite">Peter Williams wrote:<br></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">So there i am in 2006 trying to let our 100k realtors use their rsa<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">tokencodes at lots of other websites in the realty universe.<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Sounds simple, no?<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">And I walk into this religion style war of words, of spin meistering,<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">claim and counterclaim ...and a omnipresent culture of the putdown.<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Generally: an intense over sensitivity, in the saml camp. And it's<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">not<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">because realty is a hot new market for websso sales!<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">As a lapsed security engineer, i love seeing the passion (and i also<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">love the saml product we selected, which we use everyday at a cost of<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">deployment now of about $2000 partner link (taking about 3 days, in<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">most cases)). But the "edginess" I see displayed across not one but<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">several companies is a real issue for going further with saml. I feel<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">like I'm stepping across a precipice.<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">And the edginess gets noticibly stronger the moment i talk about<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">(also) using openid in our customers trust networks.<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Now you are a good person to challenge on the bretts topic of "GSA<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">has<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">declared openid as inherently unable to address more than loa1<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">assurance requirements". A firm you associate with has been using<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">openid (with a custom extension albeit) for banking transactions-<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">which are not trivial transactions for which low assurance is<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">appropriate.how can I reconcile those 2 statements?<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Now I feel I'm being spun to even more. Brett made, in literary<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">analysis, a reaching for that "defining" gsa classification. And in<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">that act of reaching underminded his case for being impartial. A good<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">politician doesn't reach for the very classification device that<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">devides folks. He or she enables (almost magically) a acceptable<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">tradeoff.<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Is kantara going to formally disarm the samlista brigade and move<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">forward, or have we just got a new name for the same old warhorse?<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Grudgingly, they acceptedn<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">On Aug 12, 2009, at 4:10 AM, "Paul Madsen" <<a href="mailto:paulmadsen@rogers.com">paulmadsen@rogers.com</a>><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">wrote:<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Peter, a good theory. But you forget to mention that NORAD<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">intentionally<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">scrambled the fighters late to allow the planes to get to the<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">towers.<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Peter Williams wrote:<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">My value- such as it is- is as an outsider.<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">I measured 4 sources:<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Sun Micro rsa conference presentation on their openid pilot;<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">rationales for never being an rp<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Ping identity factors gating speed of adoption of openid2 -<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">privileged acess<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Scott cantors view on openid2 generally, and saml as used in xrd;<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">raw opinion, shared freely<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">How the uk jisc pilot of openid framed the basis for it's total<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">adoption failure in uk academia. Was it geared to fail?<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Given these 4 inputs, I simply conjectured a link (liberty). I<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">tested my conjecture by being a bit outlandish. CoMpared to the<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">norm (fox news and msnbc), I was MILD in the imputations. Lots of<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Ifs, buts, shoulds, mays....that mature heads would recognize as<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">method.<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Don't get upset. It's just an experiment.<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Little, powerless, clueless, skilless, informationless peter throws<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">tiny word stone at mighty million dollar liberty standards lobbying<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">machine ...and gets "over the top" reaction.<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Why? Why such sensitivity?<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">On Aug 11, 2009, at 5:29 PM, "John Bradley"<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><john.bradley@wingaa.com<<a href="mailto:john.bradley@wingaa.com">mailto:john.bradley@wingaa.com</a>>> wrote:<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Peter, Brett<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">As a member of Liberty, Kantara, ICF, and OIDF. I can say that I<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">have never seen any indication of Liberty plotting against openID<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">or info-card. (I do go to most of the secret meetings)<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">The issue with physical access is more one of not trying to boil<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">the ocean.<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">There is real desire by real government RPs to use open<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">technologies and work with commercial identity providers. There<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">are RPs I am working with who want this yesterday.<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">This first step is hard enough. Many people have been working hard<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">for many months.<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">One of the ways we have been able to make progress is by limiting<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">the scope.<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">We could have done physical access, LoA 4, p-cards and other<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">things.<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">The initial program by the GSA is a start not an end to the<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">process.<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">There will be changes to the initial profiles and additional<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">profiles as time and requirements permit.<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">This first step is a scary amount of work, give us time please.<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">John B.<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">On 11-Aug-09, at 5:04 PM, <<a href="mailto:openid-general-request@lists.openid.net">mailto:openid-general-request@lists.openid.net</a><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">openid-general-request@lists.openid.net<<a href="mailto:openid-general-request@lists.openid.net">mailto:openid-general-request@lists.openid.net</a><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">wrote:<br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Date: Tue, 11 Aug 2009 13:43:29 -0700<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">From: Peter Williams<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><<<a href="mailto:pwilliams@rapattoni.com">mailto:pwilliams@rapattoni.com</a>>pwilliams@rapattoni.com<<a href="mailto:pwilliams@rapattoni.com">mailto:pwilliams@rapattoni.com</a><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Subject: Re: [OpenID] OpenID + Government<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">To: Brett McDowell<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><<<a href="mailto:email@brettmcdowell.com">mailto:email@brettmcdowell.com</a>>email@brettmcdowell.com<<a href="mailto:email@brettmcdowell.com">mailto:email@brettmcdowell.com</a><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Cc: OpenID List <<<a href="mailto:general@openid.net">mailto:general@openid.net</a>>general@openid.net<<a href="mailto:general@openid.net">mailto:general@openid.net</a><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Message-ID: <<<a href="mailto:7911DEBA-C04B-4CC7-8A4B-967626522E9A@rapattoni.com">mailto:7911DEBA-C04B-4CC7-8A4B-967626522E9A@rapattoni.com</a><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">7911DEBA-C04B-4CC7-8A4B-967626522E9A@rapattoni.com<<a href="mailto:7911DEBA-C04B-4CC7-8A4B-967626522E9A@rapattoni.com">mailto:7911DEBA-C04B-4CC7-8A4B-967626522E9A@rapattoni.com</a><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Content-Type: text/plain; charset="us-ascii"<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">If the infocard stack is technically reputable, can you explain why<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">an<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">accredited provider would be excluded from using it (and openid)<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">from<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">making assertions of physical presence?<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">_______________________________________________<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">general mailing list<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">general@lists.openid.net<<a href="mailto:general@lists.openid.net">mailto:general@lists.openid.net</a>><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><a href="http://lists.openid.net/mailman/listinfo/openid-general">http://lists.openid.net/mailman/listinfo/openid-general</a><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">_______________________________________________<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">general mailing list<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><a href="http://lists.openid.net/mailman/listinfo/openid-general">http://lists.openid.net/mailman/listinfo/openid-general</a><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><br><br>------------------------------<br><br>_______________________________________________<br>general mailing list<br><a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>http://lists.openid.net/mailman/listinfo/openid-general<br><br><br>End of general Digest, Vol 36, Issue 13<br>***************************************<br></div></blockquote></div><br></body></html>