<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
... Hi Peter, just saw your blog...<br>
... Who installed wordpress (or whatever) for you?<br>
... You did? <br>
... Ahhh...you also installed a few plugins?<br>
... Really?<br>
... You also added the OpenID login option to your blog?<br>
... Very nice...job well done!<br>
<br>
Now tell me why should it be any different for having OpenID login
including some "trust" mechanism? Did you develop wordpress in order to
blog on your web site?<br>
<br>
Peter Williams wrote:
<blockquote cite="mid:0e4a01c7cbac$d6ba7ecc$0a14a8c0@rapnt.com"
type="cite">
<pre wrap="">I'm a blogger. I want to allow other commentators to add to my rant, logging in using their openid.I want to decide which openid providers I trust. I have no faith whatsoever in the decisions of google - my blogsite operator - on this score.
I'm a blogger....not an apache/iis admin skilled in IT.
How do we design for this?
10000 bloggers, 10000 trust models during reliance. 10000 trust stores in iis/apache?
</pre>
</blockquote>
huuu? Perhaps 1 trust model would be good already. <br>
<blockquote cite="mid:0e4a01c7cbac$d6ba7ecc$0a14a8c0@rapnt.com"
type="cite">
<pre wrap="">
-----Original Message-----
From: "Eddy Nigg (StartCom Ltd.)" <a class="moz-txt-link-rfc2396E" href="mailto:eddy_nigg@startcom.org"><eddy_nigg@startcom.org></a>
To: "Eric Norman" <a class="moz-txt-link-rfc2396E" href="mailto:ejnorman@doit.wisc.edu"><ejnorman@doit.wisc.edu></a>
Cc: "OpenID List" <a class="moz-txt-link-rfc2396E" href="mailto:security@openid.net"><security@openid.net></a>; "OpenID List" <a class="moz-txt-link-rfc2396E" href="mailto:general@openid.net"><general@openid.net></a>
Sent: 7/21/07 7:04 AM
Subject: Re: [OpenID] [security] Trust + Security @ OpenID
Apache web servers come many times with a CA bundle installed (mostly
Linux distributions). This is usually a dump from the NSS (Mozilla)
store. One can add easily more PEM encoded certificate to that bundle -
all the ones you want to trust. Implementation can require valid
certificates traceable back to a root in the CA bundle.
I don't know much about IIS (anymore), but I guess the same could be
possible there, using the local machine store.
Eric Norman wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Jul 20, 2007, at 8:30 AM, Johnathan Nightingale wrote:
</pre>
<blockquote type="cite">
<pre wrap="">As Dmitry observes, the protection it offers is useless if there are
http (i.e. non-SSL/TLS) links in the chain.
</pre>
</blockquote>
<pre wrap="">True enough. But there's more. Many will argue that such
protection is also useless unless the correct trust anchors
(some folks call them "root" certificates) are deployed at
the correct places. This is far easier to say then accomplish.
Eric Norman
<a class="moz-txt-link-freetext" href="http://ejnorman.blogspot.com">http://ejnorman.blogspot.com</a>
_______________________________________________
security mailing list
<a class="moz-txt-link-abbreviated" href="mailto:security@openid.net">security@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/security">http://openid.net/mailman/listinfo/security</a>
</pre>
</blockquote>
<pre wrap=""><!---->
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<div><font face="Arial" size="2">Regards</font></div>
<div><font face="Arial" size="2"> </font></div>
<div><font face="Arial" size="2">Signer: Eddy Nigg, StartCom Ltd.</font></div>
<div><font face="Arial" size="2">Jabber: <a class="moz-txt-link-abbreviated" href="mailto:startcom@startcom.org">startcom@startcom.org</a></font></div>
<div><font face="Arial" size="2">Phone: +1.213.341.0390</font></div>
</div>
</body>
</html>