<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
David,<br>
<br>
Yes, I know...and completely useless! Waste of time...<br>
<br>
However I'm sure, once there will be (a few) reputation systems based
on OpenID, the very once wanting it to be really free will have the
most to loose, since the only way to get there is via lock-in of the
provider/operator....OpenID is useless in it's current form. Once it
will be useful it will be ONLY via the provided systems, which means
$$$.<br>
<br>
(I'm not meaning additional services on top of a free system, but in
order to use a useful system the freedom is lost...The future will
tell!)<br>
<br>
<div class="moz-signature">-- <br>
<div><font face="Arial" size="2">Regards</font></div>
<div><font face="Arial" size="2"> </font></div>
<div><font face="Arial" size="2">Signer: Eddy Nigg, StartCom Ltd.</font></div>
<div><font face="Arial" size="2">Phone: +1.213.341.0390</font></div>
</div>
<br>
Recordon, David wrote:
<blockquote
cite="mid7E7CA24460925C44AEB4F202BA7E45F3152A4F@MOU1WNEXMB14.vcorp.ad.vrsn.com"
type="cite">
<pre wrap="">Eddy, see slide 6, people have been able to do something like this
forever. This entire deck may be useful for you to look at to better
understand OpenID.
<a class="moz-txt-link-freetext" href="http://openid.net/pres/2005_InternetIdentityWorkshop_Berkeley.pdf">http://openid.net/pres/2005_InternetIdentityWorkshop_Berkeley.pdf</a>
--David
________________________________
From: <a class="moz-txt-link-abbreviated" href="mailto:security-bounces@openid.net">security-bounces@openid.net</a> [<a class="moz-txt-link-freetext" href="mailto:security-bounces@openid.net">mailto:security-bounces@openid.net</a>]
On Behalf Of Eddy Nigg (StartCom Ltd.)
Sent: Friday, October 27, 2006 5:21 AM
Cc: <a class="moz-txt-link-abbreviated" href="mailto:security@openid.net">security@openid.net</a>
Subject: Re: [security] Who bears the risk..
Hi All,
I'm glad to announce, that I have installed a new OpenID Server for
anybody to use. This is a supper-trooper and absolutely cool OpenID
server, since it doesn't require you to sign up, register or
anything...Total privacy! You can choose any user name and change the
name every time if you wish, all you have to do, is to provide at
LiveJournal or other blog/forum, a URI like
<a class="moz-txt-link-freetext" href="http://123.no-password.com...everyhting">http://123.no-password.com...everyhting</a> works, no questions asked! You
can even choose a user name somebody else used previously. This is
specially interesting, since viagra.no-password.com will become
reusable...
I simply downloaded one of the libraries from the OpenID web site and
removed any authentication checking (patch available), so that when you
have to authenticate with no-password.com the web site simply post's you
back to LiveJournal with is_valid="true". Also I removed the association
for shared secrets with the RP, since there is nothing here to protect
and completely optional
<a class="moz-txt-link-rfc2396E" href="http://openid.net/specs/openid-authentication-2_0-10.html#anchor3"><http://openid.net/specs/openid-authentication-2_0-10.html#anchor3></a>
according to the specs. This makes no-password.com the fastest OpenID
server, since we don't use SSL and have no need to create the
assoc_handle. I'm sure we gained about 10 milliseconds on this! BTW, did
I tell you, that no-password.com is completely private and anonymous?
Any log files created by the server are directed to /dev/null so that
any traces of your visit at no-password.com are destroyed immediately!
This is much better that the PiP offered from Verisign, since they
probably keep log files and make back ups of their databases ;-) and
because according to the specs the IdP establishes whether the End User
is authorized to perform OpenID Authentication and wishes to do so and
the manner in which the End User authenticates to their IdP is beyond
the scope of the OpenID Authentication 2.0 Specifications, all users are
authorized at no-password.com without questions asked. Cool, isn't it?
I'm sure you now understand how useful the OpenID framework is and you
decided to add OpenID login to your forum immediately. There are no
requirements on your part, but you should....well, really you should
<a class="moz-txt-link-rfc2396E" href="http://openid.net/specs/openid-authentication-2_0-10.html#initiation"><http://openid.net/specs/openid-authentication-2_0-10.html#initiation></a>
make a small form at your forum, so the user can enter the
no-password.com URI. It's also recommended that you place the OpenID
logo <a class="moz-txt-link-rfc2396E" href="http://openid.net/login-bg.gif"><http://openid.net/login-bg.gif></a> at the beginning of the form
field. Well, perhaps you just remove any authentication at your
forum...it's useless anyway...Count on no-password.com to always
authenticate the users of your forum positively!
However, I'm not sure, if I'll keep no-password.com, since I just bought
it and can return the domain within 10 days without getting charged.
Anyway, perhaps I'll get another one (no-questions-asked.com is free) in
ten days....I'll keep you updated on this!
</pre>
</blockquote>
<br>
</body>
</html>