[security] Nonrepudiation, and Trusting OpenID Providers
Santosh Rajan
santrajan at gmail.com
Thu Dec 10 15:42:14 UTC 2009
Hi Thomas,
The current thinking here, is that OpenID is all about synchronous
signatures. Which I happen to agree with. So we need to work within the
framework. Disclaimer: I am not an expert here, this is only my
understanding. Anyone please correct me if I am wrong.
Thanks
Santosh
On Thu, Dec 10, 2009 at 9:00 PM, Thomas Hardjono <hardjono at mit.edu> wrote:
> Hi folks,
>
> I'm jumping in late to this discussion (apologies).
>
> I was wondering of OpenID providers (or those wanting
> to be one) have plans to publish something equivalent
> to a PKI Certificate Practices Statement?
> Something like VeriSign's CPS statement:
> https://www.verisign.com/repository/cps/index.html
>
> Most folks that I've met either don't know about CPS docs or
> belittle it as something bureaucratic. But its actually
> an all-important doc that Enterprise-CA customers
> of VeriSign take into serious consideration when
> signing-up for services.
>
> In the Idp/OpenID context, I'm finding it kind of
> difficult to imagine signing-up
> to an IdP without something equivalent.
> The approach of "just trust us since we already have
> your credit score and other financial information"
> will not fly (and may become the failure point for
> rolling out IdP/OpenID services). Especially with the
> ongoing loss of customer data by various
> organizations without much penalties.
>
> /thomas/
>
> _______________________________________________
> security mailing list
> security at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-security
>
--
http://hi.im/santosh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20091210/2c771d5e/attachment.htm>
More information about the security
mailing list