Comments on: More on OpenID http://cuinnovators.com/blog/more-on-openid/ At CU Innovators, we help credit unions, CUSO's, and service providers create meaningful products and services for their members and clients. Mon, 14 Mar 2011 17:53:41 +0000 hourly 1 By: James http://cuinnovators.com/blog/more-on-openid/comment-page-1/#comment-562 James Thu, 18 Sep 2008 16:58:15 +0000 http://blog.cuemployee.com/?p=282#comment-562 Hi, I found your blog on this new directory of WordPress Blogs at blackhatbootcamp.com/listofwordpressblogs. I dont know how your blog came up, must have been a typo, i duno. Anyways, I just clicked it and here I am. Your blog looks good. Have a nice day. James. Hi, I found your blog on this new directory of WordPress Blogs at blackhatbootcamp.com/listofwordpressblogs. I dont know how your blog came up, must have been a typo, i duno. Anyways, I just clicked it and here I am. Your blog looks good. Have a nice day. James.

]]> By: Guillaume http://cuinnovators.com/blog/more-on-openid/comment-page-1/#comment-561 Guillaume Mon, 08 Sep 2008 21:10:24 +0000 http://blog.cuemployee.com/?p=282#comment-561 I meant "they are NOT the only ones that have an opportunity to do so" in my previous comment. I meant “they are NOT the only ones that have an opportunity to do so” in my previous comment.

]]> By: Guillaume http://cuinnovators.com/blog/more-on-openid/comment-page-1/#comment-560 Guillaume Mon, 08 Sep 2008 21:08:48 +0000 http://blog.cuemployee.com/?p=282#comment-560 While I think that providing OpenIDs is a good opportunity for FIs [1] (if they don't wait to long), they are the only ones that have an opportunity to do so. As a result, I don't think that the solution to the problem you are mentioning will be via secure bank-specific TLD. The simplest first step is for Web sites supporting OpenID to maintain a list of OpenID providers they trust, possibly with varying degree of trust. Note that it's not because I know for sure that you are a CU or a bank that I will trust you as an OpenID provider. I will trust you because you will provide me with information about your security that I feel the OpenIDs you issues can be trusted. Part of this can be addressed with OpenID policy extensions [2], but more likely this trust between OpenID consumers and providers will be the result of a contractual agreements involving disclosure of security procedures an related insurance arrangements. The problem of trust lies with the consumer: (1) will a consumer feel safer login to their CU/Bank ID with their Google ID, or (2) will they feel safer login to Google via their CU/Bank ID. My guess is (2). [1] http://lebleu.org/blog/2008/05/21/should-banks-bank-on-openid/ [2] http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-01.html While I think that providing OpenIDs is a good opportunity for FIs [1] (if they don’t wait to long), they are the only ones that have an opportunity to do so. As a result, I don’t think that the solution to the problem you are mentioning will be via secure bank-specific TLD.

The simplest first step is for Web sites supporting OpenID to maintain a list of OpenID providers they trust, possibly with varying degree of trust.

Note that it’s not because I know for sure that you are a CU or a bank that I will trust you as an OpenID provider. I will trust you because you will provide me with information about your security that I feel the OpenIDs you issues can be trusted. Part of this can be addressed with OpenID policy extensions [2], but more likely this trust between OpenID consumers and providers will be the result of a contractual agreements involving disclosure of security procedures an related insurance arrangements.

The problem of trust lies with the consumer: (1) will a consumer feel safer login to their CU/Bank ID with their Google ID, or (2) will they feel safer login to Google via their CU/Bank ID. My guess is (2).

[1] http://lebleu.org/blog/2008/05/21/should-banks-bank-on-openid/
[2] http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-01.html

]]>