On 10 Dec 2008, at 16:46, Fiona Culloch wrote:
>
> Andy Powell replied:
>
>> Thinking creatively around delegation might also leave you with a
>> significant chunk of the "user-centric" value in place?
>
> I don't see how user-centricity is divisible: either I can in extremis
> set up my own OpenID Provider and still be an equal player in the
> game,
> or I can't.
>
>> And simplifying "discovery" removes one of the major usability
>> hurdles
>> in current systems. Granted, it replaces it with a different one (at
>> least)... the whole, "whaddaya mean my user-id is a uri?" type issue,
>
> Leaving aside the problems with URLs as usernames etc., OpenID would
> only remove that hurdle if it was used exclusively "instead-of"
> current
> systems. However, if you are interested in crossover, it seems more
> likely that both would end up being used "as well as", so discovery
> wouldn't go away.
Not necessarily. You could adopt a model whereby OpenID is used more
as a pointer to a trusted identity/claims provider. You use OpenID to
assert your personal 'presence', preferences etc, and a trusted
provider to make claims about a particular affiliation you may have.
Hence, OpenID is saying 'this is me and these are my interests/
preferences. I also have an affiliation with organisation X'. Assuming
the RP has a trust relationship with organisation X, they now know
where to go to get assurance over the (informal) claim the user has
made. If user subsequently moves to organisation Y then they simply
update their OP with their new affiliation. From the RP's perspective,
the 'this is me' part remains the same. This simplifies IdP discovery
on the back of OpenID, while maintaining user-centricness and a
potential long-term identifier. In fact you could say it's a similar
or more generalised case of Andy's 'creative delegation'.
Now, clearly there's problems here (extra RP complexity, OpenID
providers supporting such claims, SSO between the OP and trusted
claims provider). Combining George's suggestion of using OpenID to
authenticate to a trusted IdP may help with the latter.
David
--
David Orrell
Identity Systems Architect
Eduserv Foundation
[log in to unmask]
Tel: +44 (0)1225 474309
|