On Thu, 2006-10-05 at 13:25 +1000, Chris Drake wrote: > Hi Kevin, > > Sounds like you're leaning towards a root authority for IdPs who can > audit procedures and verify protection in order to sign the IdP's > keys?
Woah, slow down there. I won't say this is completely crazy talk, but I want to be careful about what words are put in my mouth. ;) The description that introduced a lot of people to OpenID was "a decentralized identity system, but one that's actually decentralized and doesn't entirely crumble if one company turns evil or goes out of business." I think systems with root authorities are prone to crumbling if the root authority turns evil or goes out of business. Furthermore, the "it's easy to switch IdPs; it's easy to run your own IdP" property is very important to OpenID. This goes away if there's a root authority you have to be audited/verified by before anyone will talk to you. There's my word of caution for now. Gabe and Dick have both said some good things about how to consider these issues now and going forward. _______________________________________________ specs mailing list firstname.lastname@example.org http://openid.net/mailman/listinfo/specs