In Openid attributes are alegated, so you don't have to trust the OP because there's nothing to trust on. Dealing with certified attributes create a problem : how could I, as a relying party, know that this OP works fine and if it says "level 4" all criteria to consider were done the right way.

You can't. But you have the right idea:

Our proposal, in the same way as PAPE, the Relying Party does not need to trust the OP. The User is the one that needs to trust the OP. If problems arises with certain OP, then relying parties could choose to use some OP and exclude others with mechanisms like white/black lists.

The user needs to trust the OP that the *other* user (the one they have a contract with) is using; so, share that information, and displace the responsibility for distrusting various claims onto the user. This isn't very *friendly*, mind you, but I don't see any way of preventing a user from setting up an absolutely new OP just for that one contract; with a valuable enough contract at stake, it would even be cost-effective to rig one's own "independent auditors".

You might be able to score OP's locally, by "how many other contracts have trusted this OP", but then (to prevent gaming the system) there should be other statistics such as how long the OP has been in use, how often a contract has required "use another OP" during renegotiation, how often negotiations have *failed* entirely because one party refused to use another OP, the demographic spread of these uses over time, and maybe even the values of those contracts (for low-value contracts, there might not have been as much scrutiny over the trustworthiness of OP's), most or all of which raises user privacy issues. The last item raises verifiability issues; how do you *know* the value of the contracts are as reported?

-Shade
_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Reply via email to