[security] Nonrepudiation, and Trusting OpenID Providers
John Bradley
ve7jtb at ve7jtb.com
Thu Dec 10 16:22:29 UTC 2009
Under the trust frameworks being developed by the OIDF for US ICAM and others, there would be something similar to a CPS for openID providers who have been certified against a profile.
John B.
On 2009-12-10, at 10:30 AM, Thomas Hardjono wrote:
> Hi folks,
>
> I'm jumping in late to this discussion (apologies).
>
> I was wondering of OpenID providers (or those wanting
> to be one) have plans to publish something equivalent
> to a PKI Certificate Practices Statement?
> Something like VeriSign's CPS statement:
> https://www.verisign.com/repository/cps/index.html
>
> Most folks that I've met either don't know about CPS docs or
> belittle it as something bureaucratic. But its actually
> an all-important doc that Enterprise-CA customers
> of VeriSign take into serious consideration when
> signing-up for services.
>
> In the Idp/OpenID context, I'm finding it kind of
> difficult to imagine signing-up
> to an IdP without something equivalent.
> The approach of "just trust us since we already have
> your credit score and other financial information"
> will not fly (and may become the failure point for
> rolling out IdP/OpenID services). Especially with the
> ongoing loss of customer data by various
> organizations without much penalties.
>
> /thomas/
>
> _______________________________________________
> security mailing list
> security at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-security
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2468 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20091210/50a0bf83/attachment.bin>
More information about the security
mailing list