Hi Gabe, Beautifully worded, and (IMHO) an extremely valuable real-world opinion. I too believe OpenID is currently a "non-starter". I have dual vested interests: I want OpenID to succeed, *especially* for RPs like Visa, since my IdP makes money from supporting OpenID only when OpenID ends up getting used. I also believe that an IdP (and mine in particular) is well suited for deploying secure technology (eg: two factor tokens). If, aside from making OpenID actually *work* for the likes of Visa, we can build in the ability to provide a tangible *benefit* to Visa from using it (that is: allow visa to REQUIRE that a user has authenticate via two-factor means, to an accredited - i.e: explicitly trusted by Visa - IdP) then we've not only cemented the future of OpenID, we've gone an improved a pile of security problems along the way.
Kind Regards, Chris Drake 1id.com Thursday, October 5, 2006, 1:41:34 PM, you wrote: GW> Chris- GW> As someone who has recently come from working in the financial GW> sector (Visa), its clear that OpenID is NOT intended for authentication GW> where the *relying party* cares about how the authentication is performed. GW> At places like Visa and for home banking, this means that OpenID, GW> without something more, is clearly a . These relying parties want GW> to know exactly how their users are being authenticated because their GW> business is all about risk management and creating business opportunities GW> around very good knowledge of the risk profile of each transaction type. GW> That all being said, I believe it should be possible to layer on GW> OpenID a form of IDP control such that a relying party can require a certain GW> class or group of IDPs be used when presenting authentication assertions to GW> them. The actual *policy* for how these IDPs are approved is probably GW> orthogonal to the protocol spec, but "secure" identification of those IDPs GW> (relative to some trust root, etc) could probably be made into an extension GW> usable for those parties who want it. GW> My guess is that culturally, most people involved in OpenID have GW> *not* been interested in addressing these concerns. However, expectations GW> need to be better managed around these sort of "relying-party cares" GW> scenarios, because its not obvious without actually reading the specs GW> themselves... GW> -Gabe >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf >> Of Chris Drake >> Sent: Wednesday, October 04, 2006 8:26 PM >> To: Kevin Turner >> Cc: firstname.lastname@example.org >> Subject: Re: [PROPOSAL] authentication age >> >> Hi Kevin, >> >> Sounds like you're leaning towards a root authority for IdPs who can >> audit procedures and verify protection in order to sign the IdP's >> keys? >> >> Joe blogger doesn't care much about identity assertions from an IdP, >> but it's a reasonable bet to expect that a Bank might care... >> >> Kind Regards, >> Chris Drake >> >> >> _______________________________________________ >> specs mailing list >> email@example.com >> http://openid.net/mailman/listinfo/specs _______________________________________________ specs mailing list firstname.lastname@example.org http://openid.net/mailman/listinfo/specs