Re: [OpenID] Announcing OpenID Authentication 2.0 - Implementor'sDraft 11
-- James A. Donald nor is PKI useful in solving phishing. PKI is a solution that has been tried and has failed. It has become an obstacle, as commercial interests actively block alternatives that do not involve a small number of centralized authorities with a special privilege that enables them to intrude between client and server and charge the server. Hallam-Baker, Phillip wrote: On the contrary, PKI is the basis of the security infrastructure that so far has provided the greatest defense against Internet crime - SSL. Most of the time that I login, or pay by credit card, or some such, I am bounced to some weird URL that has no easily provable connection to business I am trying to interact with, which means that PKI is in practice merely an exorbitantly slow and inefficient Diffie-Hellman key-exchange. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG ERRvvxIr3Rz1ZnlX/LG8m/wkPWR/RhhqcWfDRyI1 403xuw3aJ0JGZbaY+1qh/4rydpyimpbcM8a2SNF9D ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: [OpenID] Announcing OpenID Authentication 2.0 - Implementor'sDraft 11
-- Ka-Ping Yee [mailto:[EMAIL PROTECTED] In practice SSL is primarily used to establish an encrypted channel between endpoints, not to establish reliable reciprocal identification. Given that almost no users pay any attention to certificates, what reason do we have to believe that SSL succeeds because of PKI, rather than in spite of it? Hallam-Baker, Phillip SSL achieves the original security goals set for it. Which were defined to fit what PKI does, not what the user needs. The user needs proof of relationship, not proof of true name. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG qVkusWoDPirkBhjZe5MXwUDyBHO4LxZCWStLyKpA 4JVAsnPJ0MmTZsUwSsCOYR37FKrlG3DPXGBozt+Kh ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: [OpenID] Announcing OpenID Authentication 2.0 - Implementor'sDraft 11
Hallam-Baker, Phillip If you change the browser you might as well really change the browser and use a strong authentication mechanism based on PKI Ben Laurie I'm sure you meant to say based on asymmetric cryptography. Hallam-Baker, Phillip No, any time you have a trusted key you have an infrastructure. No you do not, nor is PKI useful in solving phishing. PKI is a solution that has been tried and has failed. It has become an obstacle, as commercial interests actively block alternatives that do not involve a small number of centralized authorities with a special privilege that enables them to intrude between client and server and charge the server. ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: [OpenID] OpenID IPR Policy Draft
Gabe Wachob wrote: Actually, the language was changed from post to a list, not subscribe to a list for this very reason. It appears to me that your intent is, or should be, to protect against patent trolls, who are likely to retroactively patent the OpenID standard now that it is being widely adopted. In the US, you can file a patent in which you *claim* you invented stuff one year prior to the patent application. So the technology is first proposed and described on this list, on 2006 December 7, 2006. It is incorporated into the standard and comes to be widely used around about, say, 2007 August. On 2007 December 5, 2007, the patent troll has a friendly individual inventor file an patent application claiming to have invented the technology on 2007, december 6. They keep the patent under water for a couple of years, preventing it from being published, until evil unpopular giant megacorp, say intel, has been using the technology for some time. They then surface the patent. Should intel fail to settle, they have inventor tell the jury he is being oppressed by evil giant megacorp. Jury awards the patent troll a zillion dollars, and cabillion on top of that. Unfortunately, your proposed measure is of limited effectiveness, since the our friend the highly jury sympathetic inventor is probably not signed up on this list, his expertise being primarily in being loved by juries, rather than computer technology. Indeed, no measures whatsoever are likely to be very effective. The patent office wants people to take out more patents, just as Ford wants people to buy more Fords. The judiciary similarly wants more human activity to be subject to patents, just as they want more laws, and those laws of broader scope, hence the steady shrinkage of any portion of the constitution that begins congress shall make no law ... ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: [OpenID] Opened IPR Policy Draft
So the technology is first proposed and described on this list, on 2006 December 7, 2006. It is incorporated into the standard and comes to be widely used around about, say, 2007 August. On 2007 December 5, 2007, the patent troll has a friendly individual inventor file an patent application claiming to have invented the technology on 2007, december 6. David Nicol wrote: but the openID standard is more than a year old already. Changes and enhancements to the openID standard are patentable. When the standard was originally proposed, it was far from clear that it would be widely adopted, so it is unlikely that anyone patented it in time, so the original standard is safe from IP. ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs