RE: [dix] Re: Dix & OpenId?

["Hallam-Baker, Phillip" <pbaker at verisign.com>]

> From: Dan Connolly [mailto:connolly at w3.org] 

 
> Yes... it's clear to me how I can use an OpenID persona in 
> the bloggy wiki world, but I also want to use it for calendar 
> synchronization, banking and bill paying and getting credit 
> card statements...
> maybe even with OFX and quicken. I can't seem to work that 
> out in my head.

OK lets look at what is reachable. 

Blogs, Wikis          - More than sufficient today.
HR related extranet   - Probably acceptable, need security analysis
Purchasing extranet   - Possibly with many constraints
Frequent flyer        - Some issues to consider
Online banking        - Faces major issues of liability


> Is this a case of "doctor, doctor, it hurts when I do that; so don't"?
> Or does anybody expect that it will, in fact, scale up? Any 
> pointers to reading material would be appreciated.

I think it can be made to scale up, the question is having to do the application specific security analysis for each case. This is not about the protocol security, phishing has proved that security of the application is not just about transport security. We need to do a security review for each application.

In the bloggy, wiki world the value of the ability to make comments is clearly greater than zero but I have a hard time seeing much of a motivation. In the banking application we are going up against criminal gangs currently making up to $50 million per year.

_______________________________________________
dix mailing list
dix at ietf.org
https://www1.ietf.org/mailman/listinfo/dix