>>> On 10/12/2008 at 11:56, in message
<[log in to unmask]>, Jon Warbrick
<[log in to unmask]> wrote:
> On Wed, 10 Dec 2008, Fiona Culloch wrote:
>
>> ...
>> That means that with
>> OpenID, if you want assurance about who your users are, you have to
>> register them yourself individually, which is harder the more users
>> you have.
>
> ... and you (as a service operator) have to decide if you are willing to
> trust each user's chosen OpenID identity provider, something which in
> general you are not in a position to do.
>
Which is the complete flaw of OpenID, the OpenID assertion is "I am who I am because _I_ say so" whereas in the Federation the Shibboleth assertion is "I am who I am because the _University of Dundee_ says so". Which has more weight, some kid off the street or the University of Dundee?
I find the statement:
"ii) The UK federation as currently deployed has a significant shortcoming which is the readiness of IdPs to disclose the real-world identity of users to SPs (as distinct from providing opaque persistent identifiers to support simple customisation). This is not a technical shortcoming but an operational one. Whilst it is relatively easy to solve, until it is, it limits the applicability of Shibboleth to personalised and other services which need to know who the users are. "
rather strange. Should it not read "unreadiness"? and it isn't a shortcoming! The whole point is that we _don't_ expose real-world personal identity in breach of the data protection act but that we provide the mechanism for personalisation through the opaque identifier. Why would we want to fix that?
Andy
The University of Dundee is a registered Scottish charity, No: SC015096
|