> Which is the complete flaw of OpenID, the OpenID assertion is "I am who I am because _I_ say so" whereas in the Federation the Shibboleth assertion is "I am who I am because the _University of Dundee_ says so". Which has more weight, some kid off the street or the University of Dundee?
>
>
I don't believe this to be a flaw in OpenID rather a fundemental design
difference between OpenID and Shibboleth. I don't believe that OpenID
was ever meant to provide access to high value resources and was
designed solely as a means for users to consolidate multiple low value
accounts into a single identifier to reduce the risk of RPs/SPs
misbehaving whereas Shibboleth was designed as a way to control access
to clearly defined high value resources and as such requires a much more
developed trust infrastructure.
OpenID is at its most useful when there is no need for a third party to
vouch for user assertions and self signed assertions of attributes are
all that are required e.g. to access a personal blog it doesn't matter
that my presented identity is factually correct only that the identity
that is presented is always the same and is owned by a single entity. I
believe that this level of accountability is generally enough for the
majority of sites on the web. However when you need to start controlling
access to higher value resources where a level of user accountability is
required then you need to know that the attributes presented are valid
and authentic and this is where Shibboleth excells.
Regards
George
|