[security] security

[Brendan O'Connor]

If we're going to allow all the members of this list to vote, here is 
mine: -1.

The reason for this: OpenID, at least for me, has a lot of its power in 
the idea that anyone can provide an identifier, or indeed an identity. 
For my part, I have multiple identities-- student, employee, citizen-- 
that have multiple identifiers, which are naturally split. My work is 
separate from my existence as a student, and so on. If I want to assert 
these things to different people, I can do that somewhat through the 
information-hiding faculties of one OpenID IdP-- but not entirely.

For instance, my personal OpenID identity is kept at one server. 
Separately, I run an IdP for the students at my university, so that 
every student here can have an OpenID that is tied to how the university 
identifies us electronically; I have an account there as well, 
naturally. I use them for different things, just as I use different 
eMail addresses for different purposes-- one for work-related 
information, one for departmental information, one for the students I 
teach, and one to give to people who teach me. On the OpenID side, I use 
my JHU OpenID when I'm accessing uniquely JHU things-- which shouldn't 
allow outsiders the ability to change things, though we want them to be 
able to see what's going on. I also use it, however, to comment on 
things wearing my "student" hat, as opposed to my normal one. My 
personal OpenID gets used for non-student things.

This is made possible by having an IdP that is tied to my Hopkins 
identity. I can only do that-- go from a blank server to a small, but 
growing, IdP for the University in a few hours-- when there's no central 
body to make sure I'm "adhering to policy," as Eddy wants. If we 
implement these restrictions on what is "valid" and what is "invalid," 
then we lose the ability to have things that are useful to the 
individual communities; as I noted on the General list a day or two ago, 
our IdP is tied to our University-wide authentication providers. How do 
I know that will meet with policy, especially when I don't control the 
University's password policies? What if, at a different place with 
different requirements, I want to put an IdP to use that asserts based 
on the source IP address? (Perhaps at another university, where students 
get to have unique ones-- perhaps a university with a Class A IP range.)

I use OpenID on the Internet like I use physical cards in real life-- I 
use different ones for different things, and the differences between 
them are made based on where they come from, how I obtained them, and 
the unique situations in which I use them. An overarching standards body 
for OpenID would kill the reason I think it's both useful and exciting; 
let's make sure we don't do that.

---Brendan O'Connor

Eddy Nigg (StartCom Ltd.) wrote:
> I suggest, that instead of going in cycles, as somebody mentioned, lets 
> make some decisions. I don't know how decision making is done at OpenID, 
> but assuming that everybody can vote on an open issue, I suggest to have 
> a principal decision taken, to see, if there is support for an open, 
> centralized body performing basic registry and adherence of specs/policy 
> supervision. This would be incorporated as part of the basic trust 
> mechanism at the specs / framework of OpenID. Details should be worked 
> out after a principal decision is taken.
> 
> After a decision on this issue, everybody knows what's in for them and 
> what to expect. Future discussions may be pointed to this decision, 
> avoiding the subject coming up in this or that form. Suggestions?
> 
> James A. Donald wrote:
>> "Open" should mean that multiple people can perform the
>> role that Google performs.   At present, no one can
>> perform the role that Google performs.  If the spammers
>> start using Openid on Tuesday, what do we do on
>> thursday?
>>   
> 
> -- 
> Regards
>  
> Signer:      Eddy Nigg, StartCom Ltd.
> Phone:       +1.213.341.0390
> 
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security