[OpenID] card space and openid. Peter just doesn't get it, yet.

Thu Jul 12 11:57:39 UTC 2007

I have only seen OpenID + Cardspace expressed as anti-phishing protection
for the user OP protection:

http://www.identityblog.com/?p=659

You appear to know far more about protocols than me, but the only reason I
can think of for using Cardspace with the RP is a way to convey the identity
url and the wish to use OpenID. Then you bounce around in usual fashion.

Seems a bit too much technology to achieve very little benefit. Why not
simply offer Cardspace and OpenID as separate options at the RP? Anything
more seems like a massive shoehorn.

Maybe I am missing something too ;)

Andrew

-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Peter Williams
Sent: 12 July 2007 11:20
To: general at openid.net
Subject: [OpenID] card space and openid. Peter just doesn't get it, yet.

Ok. Im not on the same plane as all you guys who the write these
standards - or the libraries. But, as simple a buyer and operator of a
major US national-scale ID system, I've been trying real hard over the
last 12 months to understand and apply all the internet-era identity
technologies out there - mostly by practicing with tools, libraries, and
actual servers.

But, I still don't get cardspace + openid.

...

Then, there is cardspace + openid, again.

Ok. Cardspace can send "tokens" - to the requesting website. The token
data structure can be any syntax/format, including the syntax this
community uses in the signed blob that underlies OpenID's means of
communicating assertions.

Is that what folks mean, when they say cardspace + openid? - leverage
the syntax of the OpenID signed blob?

Or, is there a role for the OpenID Auth protocol - where perhaps the
cardspace active control and supporting cardspace libraries in a trusted
OS can ask (using OpenID Auth protocol) a web-based third party "managed
infocard provider" - implemented as an OP - to provide the (Signed)
OpenID assertion token, which the control then relays to the peer
cardspace handler in the http listener at the SP site? 

If you've followed through all this "voyage of discovery", you might
feel like I do that something critical is missing from the story, in the
area of cardspace. I'm worried I'm could be entirely wrong track, when
it comes to understanding the role of cardspace, in the open world. For
example, its possible that OpenID + cardspace is just an implementation
issue - leveraging the 'trusted desktop" that comes when one applies
CardSpace. That's entirely valuable, but not earth-shattering.

I think this memo was way too long! Well done, if you got here without
hitting delete!

_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general