Peter Williams:
It did seem strange that openid was singled out. The publicity will be only beneficial, however. Openid had no pretentions to grandeur in the higher assurance arena, of course. Now it getting more relevant, of course increasing relevancy now begs the question: should that stance continue? Who wants to rely on openid for blog spamming protection or antiphishing (both claims made about openid) if they don't really work!
Well, there is one thing which has been raised in the past - including myself...OpenID OPs lack any policy statements - auditing and general responsibility requirements and adherence to standards. Yes, this smells like PKI, but in my opinion something has to be done to strengthen the standard and higher the barrier of entry. Relying on anybodies OP is simply not in the cards...and as this example shows, a governing body could have potentially prevented OPs from using weak keys (once it was disclosed) and would potentially solve other problematic practices. It would make OpenID reasonable secure! It would allow Yahoo and others to rely on such approved providers, making OpenID really useful.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
