--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
-----Original Message-----
From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of David Orrell
Sent: 10 December 2008 17:37
To: [log in to unmask]
Subject: Re: LA (Re: JISC OpenID Report)
On 10 Dec 2008, at 16:46, Fiona Culloch wrote:
>
> Andy Powell replied:
>
>> Thinking creatively around delegation might also leave you with a
>> significant chunk of the "user-centric" value in place?
>
> I don't see how user-centricity is divisible: either I can in extremis
> set up my own OpenID Provider and still be an equal player in the
> game,
> or I can't.
>
>> And simplifying "discovery" removes one of the major usability
>> hurdles
>> in current systems. Granted, it replaces it with a different one (at
>> least)... the whole, "whaddaya mean my user-id is a uri?" type issue,
>
> Leaving aside the problems with URLs as usernames etc., OpenID would
> only remove that hurdle if it was used exclusively "instead-of"
> current
> systems. However, if you are interested in crossover, it seems more
> likely that both would end up being used "as well as", so discovery
> wouldn't go away.
Not necessarily. You could adopt a model whereby OpenID is used more
as a pointer to a trusted identity/claims provider. You use OpenID to
assert your personal 'presence', preferences etc, and a trusted
provider to make claims about a particular affiliation you may have.
Hence, OpenID is saying 'this is me and these are my interests/
preferences. I also have an affiliation with organisation X'. Assuming
the RP has a trust relationship with organisation X, they now know
where to go to get assurance over the (informal) claim the user has
made. If user subsequently moves to organisation Y then they simply
update their OP with their new affiliation. From the RP's perspective,
the 'this is me' part remains the same. This simplifies IdP discovery
on the back of OpenID, while maintaining user-centricness and a
potential long-term identifier. In fact you could say it's a similar
or more generalised case of Andy's 'creative delegation'.
Now, clearly there's problems here (extra RP complexity, OpenID
providers supporting such claims, SSO between the OP and trusted
claims provider). Combining George's suggestion of using OpenID to
authenticate to a trusted IdP may help with the latter.
David
Surely the basic problem exists.
If I have a users [log in to unmask] then I don't really have any trust that the next time I see *that* ID that it is actually the same user.
Hence it still can't be used as part of a chain to deliver a higher value of trust that I would have put in that ID in the first place
Brian Gilmore
|