<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";
color:black;}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;}
pre
{margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:97070753;
mso-list-type:hybrid;
mso-list-template-ids:1342989790 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=white lang=EN-US link=blue vlink=blue>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Hi list,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>I just had a really fertile talk with Eddy
about “IdP reputation”, during which I came up with a couple of ideas which I found
sound enough to be shared with the community:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<ol style='margin-top:0cm' start=1 type=1>
<li class=MsoNormal style='color:navy;mso-list:l0 level1 lfo1'><font size=2
color=navy face=Arial><span style='font-size:10.0pt;font-family:Arial'>If
an RP is after strong IdP security, it should only trust IdPs that have SSL
(so it would resolve all identifiers to https://)<o:p></o:p></span></font></li>
<li class=MsoNormal style='color:navy;mso-list:l0 level1 lfo1'><font size=2
color=navy face=Arial><span style='font-size:10.0pt;font-family:Arial'>Once
an identity server is queried over SSL, it will be forced to return an
X.509 certificate.<o:p></o:p></span></font></li>
<li class=MsoNormal style='color:navy;mso-list:l0 level1 lfo1'><font size=2
color=navy face=Arial><span style='font-size:10.0pt;font-family:Arial'>X.509
certificates support explicit client-side security policy (so the RP may
define a list of CAs it trusts for granting certificates to IdPs).<o:p></o:p></span></font></li>
<li class=MsoNormal style='color:navy;mso-list:l0 level1 lfo1'><font size=2
color=navy face=Arial><span style='font-size:10.0pt;font-family:Arial'>An “OpenID
provider” certificate key usage should be defined (to be checked by RPs).<o:p></o:p></span></font></li>
<li class=MsoNormal style='color:navy;mso-list:l0 level1 lfo1'><font size=2
color=navy face=Arial><span style='font-size:10.0pt;font-family:Arial'>A
separate “IdP certificate” should be defined (to be queried via an
extension to the protocol).<o:p></o:p></span></font></li>
<li class=MsoNormal style='color:navy;mso-list:l0 level1 lfo1'><font size=2
color=navy face=Arial><span style='font-size:10.0pt;font-family:Arial'>A
combination of (4) and (5) may be used for optimal transparent security.<o:p></o:p></span></font></li>
</ol>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Please forgive me if (4) or (5) were
already defined. I’m not familiar with all existing OpenID extensions.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Does the “IdP reputation” issue should be
further discussed?<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
10.0pt;font-family:Arial'>Regards,</span></font><o:p></o:p></p>
<p class=MsoNormal><font size=2 color=black face=Arial><span style='font-size:
10.0pt;font-family:Arial'>Dmitry</span></font><o:p></o:p></p>
</div>
<pre><font size=2 color=black face=Arial><span style='font-size:10.0pt;
font-family:Arial'>=damnian</span></font> <o:p></o:p></pre>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt'><o:p> </o:p></span></font></p>
</div>
</body>
</html>