<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
It sounds like you are conflating security, trust, level of assurance
of real identity (autonym/veronym) and of authentication. <br>
<br>
In most transactions, you do not need autonym. For example, a ticket
vendor do not need to know who you are, but it has better make sure to
hand the concert ticket to the person who paid for it. It involves
Level of Assurance on authentication but it does not involve LoA on
autonymity. <br>
<br>
I do not have too much time right now so I do not dig deeper, but
considering these separately will help you understand the issue. <br>
<br>
=nat<br>
<br>
<br>
(2009/12/11 12:37), Brandon Ramirez wrote:
<blockquote
cite="mid:68a334aa0912101937y6bf7b820pcf13962ce7b73a2a@mail.gmail.com"
type="cite">So OpenID is good when security is of little importance?
I'm not trying to be a pain, but the classic response to the trust
argument is always that OpenID is meant for use cases where security
isn't important.
<div><br>
</div>
<div>The problem is that to every RP, security IS important. To them.</div>
<div><br>
</div>
<div>- Brandon<br>
<br>
<div class="gmail_quote">On Thu, Dec 10, 2009 at 4:49 PM, Jacob
Bellamy <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:toarms@gmail.com">toarms@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
This might be a silly question, but isn't the interactions between
banks and government inherently different from say, a users interaction
with livejournal? In the former case, security takes precedence, and in
the latter usability does. If a bank or government institution is an
RP, then they should have every right to demand you use an OP which
they trust- and if this is the case, then it is just a matter of using
whitelists. Users should be wary regardless of using the same identity
which they would use to log in to social networking sites, in the same
manner in which they should be wary of using the same password for
their hotmail and for their bank.
<div><br>
</div>
<div><br>
</div>
<br>
_______________________________________________<br>
security mailing list<br>
<a moz-do-not-send="true" href="mailto:security@lists.openid.net">security@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-security"
target="_blank">http://lists.openid.net/mailman/listinfo/openid-security</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
security mailing list
<a class="moz-txt-link-abbreviated" href="mailto:security@lists.openid.net">security@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-security">http://lists.openid.net/mailman/listinfo/openid-security</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Nat Sakimura (<a class="moz-txt-link-abbreviated" href="mailto:n-sakimura@nri.co.jp">n-sakimura@nri.co.jp</a>)
Nomura Research Institute, Ltd.
Tel:+81-3-6274-1412 Fax:+81-3-6274-1547</pre>
</body>
</html>