[security] Nonrepudiation, and Trusting OpenID Providers
Thomas Hardjono
hardjono at MIT.EDU
Thu Dec 10 15:30:39 UTC 2009
Hi folks,
I'm jumping in late to this discussion (apologies).
I was wondering of OpenID providers (or those wanting
to be one) have plans to publish something equivalent
to a PKI Certificate Practices Statement?
Something like VeriSign's CPS statement:
https://www.verisign.com/repository/cps/index.html
Most folks that I've met either don't know about CPS docs or
belittle it as something bureaucratic. But its actually
an all-important doc that Enterprise-CA customers
of VeriSign take into serious consideration when
signing-up for services.
In the Idp/OpenID context, I'm finding it kind of
difficult to imagine signing-up
to an IdP without something equivalent.
The approach of "just trust us since we already have
your credit score and other financial information"
will not fly (and may become the failure point for
rolling out IdP/OpenID services). Especially with the
ongoing loss of customer data by various
organizations without much penalties.
/thomas/
More information about the security
mailing list