[security] security

James A. Donald jamesd at echeque.com
Sun Oct 29 22:06:44 UTC 2006 

     --
Eddy Nigg (StartCom Ltd.) wrote:
 > I suggest, that instead of going in cycles, as
 > somebody mentioned, lets make some decisions. I don't
 > know how decision making is done at OpenID, but
 > assuming that everybody can vote on an open issue, I
 > suggest to have a principal decision taken, to see, if
 > there is support for an open, centralized body
 > performing basic registry and adherence of
 > specs/policy supervision.

If it is open, there can be no such centralized body.
The very name "Openid" contradicts your proposal.

There can, however, be blacklists, whitelists, and
graylists.  What troubles me is that people seem to
think that blacklisting is something we can worry about
another day.

Identity without reputation is only useful in a few very
specialized situations.  In general, you want an
indentity system in order to *support* a reputation
system.  An identity system without a reputation system
is like a scissors with one blade or a bycycle with one
tire.  If people do not need a blacklist with openid,
why do they need openid?  Blacklist and whitelist
functionality is not yet urgent, since Openid is not yet
targeted by spammers.  But it needs to be provided
before it becomes urgent.

  Some definitions:

Whitelist means known good.  Software treats
interactions with whitelisted entities as designed to
function

Blacklisted means known bad.  Software treats
interactions from blacklisted entities as adversarial.

Graylisted means seen before.  Interactions with never
before seen entities may be given unkind special
treatment before they get on the graylist.

If this is going to be an open standard, there can be no
Lord High Poobah blessing indentity providers.  But we
do need formats for whitelist and blacklist information,
and mechanisms for rapidly and efficiently spreading
black list information.  Then anyone can declare himself
Lord High Poobah, and have an effect that depends to
what extent others find his information useful in
controlling adversarial communications.

We need a whitelist of known good identity providers,
and a blacklist, whose only entry at present will be
no-password.com, whose primary function is to test the
functionality of the blacklist.  If it is open, anyone
can make those lists according to whatever standards he
thinks useful - we need consensus on how to format and
communicate those lists, not consensus on the actual
content of the lists.

     --digsig
          James A. Donald
      6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
      DI7SsjR9uAv3PxWb7c9wYZWScEdq5hkJY9+YOvdF
      4j9dDQd2zi32H35HCmc+oRIo3xiCWB2EjjQrY89hL

More information about the security mailing list