CAcert Code Development list.

["Ian G (Audit)" <iang AT cacert.org>]

On 5/4/09 20:35, Alejandro Mery Pellegrini wrote:
> Hi,
>
> Philipp Guehring wrote:
> > Yesterday, I stumbled across a website that asked me for an OpenID login.
> > So I went to https://certifi.ca/ , showed my CAcert certificate, and
> > after about 3 simple clicks, I was logged in on the website where I
> > wanted to login.
> > So to me it seems that CAcert already works very well with OpenID.
>
> but the questions to me are:
>
> * would we trust certifi.ca's openid to login to (some of) our
> services?


Probably not *our* services, but we shouldn't need to because the user 
already has a cert in place.


> * is it good for us (PR/marketing-wise) to delegate services we
> could provide ourselves?


I'm not sure, but certainly there is a question as to whether we should 
be running a service ourselves.

If certifi.ca is a member, then to an extent we are running it 
"ourselves" or at least someone in the community is.

(I'm not whether NRP-DaL would cover it because that only permits USE 
and it looks to me like the OpenID server is more like reliance?  When 
we figure out the limitations we can possibly sit down and write a 
DaL-OpenID or something.)


> * they let you write whatever name you like, shouldn't our openid
> provide only validated names? (following the same rules used to
> choose what private data to expose in the certs)

For us as Members, as long as we can trace back to the certificate, we 
can then file dispute, name or not.

Mind you, that brings up a question:  can a site or user trace an OpenId 
user back to the certificate?

iang

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature