[security] Nonrepudiation, and Trusting OpenID Providers
Thomas Hardjono
hardjono at MIT.EDU
Thu Dec 10 16:51:25 UTC 2009
Thanks John,
I'm going to take a close look at it (assuming
some version of the doc is available).
/thomas/
-----Original Message-----
From: openid-security-bounces at lists.openid.net [mailto:openid-security-bounces at lists.openid.net] On Behalf Of John Bradley
Sent: Thursday, December 10, 2009 11:22 AM
To: Thomas Hardjono
Cc: OpenID Security Mailing List
Subject: Re: [security] Nonrepudiation, and Trusting OpenID Providers
Under the trust frameworks being developed by the OIDF for US ICAM and others, there would be something similar to a CPS for openID providers who have been certified against a profile.
John B.
On 2009-12-10, at 10:30 AM, Thomas Hardjono wrote:
> Hi folks,
>
> I'm jumping in late to this discussion (apologies).
>
> I was wondering of OpenID providers (or those wanting to be one) have
> plans to publish something equivalent to a PKI Certificate Practices
> Statement?
> Something like VeriSign's CPS statement:
> https://www.verisign.com/repository/cps/index.html
>
> Most folks that I've met either don't know about CPS docs or belittle
> it as something bureaucratic. But its actually an all-important doc
> that Enterprise-CA customers of VeriSign take into serious
> consideration when signing-up for services.
>
> In the Idp/OpenID context, I'm finding it kind of difficult to imagine
> signing-up to an IdP without something equivalent.
> The approach of "just trust us since we already have your credit score
> and other financial information"
> will not fly (and may become the failure point for rolling out
> IdP/OpenID services). Especially with the ongoing loss of customer
> data by various organizations without much penalties.
>
> /thomas/
>
> _______________________________________________
> security mailing list
> security at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-security
More information about the security
mailing list