Thanks John, I'm going to take a close look at it (assuming some version of the doc is available).
/thomas/ -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of John Bradley Sent: Thursday, December 10, 2009 11:22 AM To: Thomas Hardjono Cc: OpenID Security Mailing List Subject: Re: [security] Nonrepudiation, and Trusting OpenID Providers Under the trust frameworks being developed by the OIDF for US ICAM and others, there would be something similar to a CPS for openID providers who have been certified against a profile. John B. On 2009-12-10, at 10:30 AM, Thomas Hardjono wrote: > Hi folks, > > I'm jumping in late to this discussion (apologies). > > I was wondering of OpenID providers (or those wanting to be one) have > plans to publish something equivalent to a PKI Certificate Practices > Statement? > Something like VeriSign's CPS statement: > https://www.verisign.com/repository/cps/index.html > > Most folks that I've met either don't know about CPS docs or belittle > it as something bureaucratic. But its actually an all-important doc > that Enterprise-CA customers of VeriSign take into serious > consideration when signing-up for services. > > In the Idp/OpenID context, I'm finding it kind of difficult to imagine > signing-up to an IdP without something equivalent. > The approach of "just trust us since we already have your credit score > and other financial information" > will not fly (and may become the failure point for rolling out > IdP/OpenID services). Especially with the ongoing loss of customer > data by various organizations without much penalties. > > /thomas/ > > _______________________________________________ > security mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-security _______________________________________________ security mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-security
