I wrote:
> OpenID would only remove that [discovery] hurdle if it was used
> exclusively "instead-of" current systems.
> However, if you are interested in crossover, it seems more
> likely that both would end up being used "as well as", so discovery
> wouldn't go away.
David Orrell writes:
> Not necessarily. You could adopt a model whereby OpenID is used more
> as a pointer to a trusted identity/claims provider. You use OpenID to
> assert your personal 'presence', preferences etc, and a trusted
> provider to make claims about a particular affiliation you may have.
True. I was thinking of anything that used existing Shib & OpenID
implementations unmodified. The sort of evolutions you suggest sound
fair enough. Basically, anything that allows using the global identifier
part of OpenID with a separate, trusted source of attributes about that
identifier could help with the goal (attractive to me) of breaking down
that inside/outside barrier.
> Now, clearly there's problems here (extra RP complexity, OpenID
> providers supporting such claims, SSO between the OP and trusted
> claims provider). Combining George's suggestion of using OpenID to
> authenticate to a trusted IdP may help with the latter.
That suggestion should work with current out of the box implementations,
if organisations were prepared to set up an OpenID-authenticated IdP
and do the registration work (which remains doubtful). That is
the scenario where I think IdP discovery would not go away.
Fiona.
|