[security] Username / password etc. is out of scope for OpenID

Drummond Reed drummond.reed at cordance.net
Thu Oct 26 05:10:00 UTC 2006 

Eddy,

 

There's not yet an "OpenID Foundation" that I know of (the trade org that's
coming together will be called OpenID Community Organization, but it's for
promoting OpenID and not for certifying IdPs).

 

However there is already one network of IdPs that is defining their own
operational requirements for OpenID: the XDI.org-Accredited I-Broker network
(http://www.inames.net/register.html) that are using the XDI.org I-Service
Specification for OpenID (http://iss.xdi.org/moin.cgi/OpenIdAuthnService). 

 

Such trust networks for IdPs *could* evolve very much like the credit card
networks that require merchants and banks that accept/process credit cards
to adhere to certain standards (and also deal with the difficult liability
issues).

 

I stress "could" because no one has proven yet that this model will extend
to identity services. However it certainly fits the model you're describing.

 

=Drummond 

 

  _____  

From: security-bounces at openid.net [mailto:security-bounces at openid.net] On
Behalf Of Eddy Nigg (StartCom Ltd.)
Sent: Wednesday, October 25, 2006 6:48 PM
Cc: security at openid.net
Subject: Re: [security] Username / password etc. is out of scope for OpenID

 

I thought, that this might be misunderstood, but by purpose didn't wanted to
get into it too much. But here a partial answer, which might change perhaps,
when I'll receive some answers on my other questions:

I suppose something like an "OpenID Foundation", which will register IDP's
after making some basic checks of the facility implemented. This means
mostly web site and server specific checks, in order to make sure, that they
confirm to a defined outlined standard. However since there is no such
implementation standard nor proper definitions of IDP's, this is way to
early to talk about. I'm not even sure, that the majority agrees, there must
be such a definition in first place...

This doesn't mean, that OpenID isn't free, but only compliance to the
standard...Such a foundation can be operated by a group of individuals,
companies etc....It might even be, that there is already an "OpenID
Foundation", I just don't know about it...That's why my questions in a
previous mail (see  Fundamentals).

Alaric Dailey wrote: 

IDP's.
 
My 2 cents:
 
I completely agree with the premise, and am not sure that Eddy ACTUALLY
disagrees...
 
I think what the spec is trying to say is that they don't want have a
central company giving its blessing as to whether or not your site may be an
IdP.  On the other hand Eddy is concerned that some effort should be made to
prove an IdP is who they say they are.  This is what CAs are designed for.
 
 
 
_______________________________________________
security mailing list
security at openid.net
http://openid.net/mailman/listinfo/security
  

 

-- 

Regards

 

Signer:      Eddy Nigg, StartCom Ltd.

Phone:       +1.213.341.0390

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061025/bf126817/attachment-0002.htm>

More information about the security mailing list