[OpenID] card space and openid. Peter just doesn't get it, yet.

John Panzer jpanzeracm at johnpanzer.com
Thu Jul 12 15:01:22 UTC 2007 

1. One of the issues with CardSpace is portability -- it's nice to have 
a phishing-resistant option available 90% of the time, and a roaming 
option for when you need access from a different computer or a device 
that doesn't do CardSpace yet.

2. If I actually want to use the same identity across sites, how would 
CardSpace alone provide a verified URL identity to an RP?  (The key here 
being verified of course.)  What's the canonical way to do this with 
CardSpace alone?

Andrew Tomlinson wrote:
> I have only seen OpenID + Cardspace expressed as anti-phishing protection
> for the user OP protection:
> 
> http://www.identityblog.com/?p=659
> 
> You appear to know far more about protocols than me, but the only reason I
> can think of for using Cardspace with the RP is a way to convey the identity
> url and the wish to use OpenID. Then you bounce around in usual fashion.
> 
> Seems a bit too much technology to achieve very little benefit. Why not
> simply offer Cardspace and OpenID as separate options at the RP? Anything
> more seems like a massive shoehorn.
> 
> Maybe I am missing something too ;)
> 
> Andrew
> 
> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Peter Williams
> Sent: 12 July 2007 11:20
> To: general at openid.net
> Subject: [OpenID] card space and openid. Peter just doesn't get it, yet.
> 
> Ok. Im not on the same plane as all you guys who the write these
> standards - or the libraries. But, as simple a buyer and operator of a
> major US national-scale ID system, I've been trying real hard over the
> last 12 months to understand and apply all the internet-era identity
> technologies out there - mostly by practicing with tools, libraries, and
> actual servers.
> 
> But, I still don't get cardspace + openid.
> 
> ...
> 
> 
> Then, there is cardspace + openid, again.
> 
> 
> Ok. Cardspace can send "tokens" - to the requesting website. The token
> data structure can be any syntax/format, including the syntax this
> community uses in the signed blob that underlies OpenID's means of
> communicating assertions.
> 
> Is that what folks mean, when they say cardspace + openid? - leverage
> the syntax of the OpenID signed blob?
> 
> Or, is there a role for the OpenID Auth protocol - where perhaps the
> cardspace active control and supporting cardspace libraries in a trusted
> OS can ask (using OpenID Auth protocol) a web-based third party "managed
> infocard provider" - implemented as an OP - to provide the (Signed)
> OpenID assertion token, which the control then relays to the peer
> cardspace handler in the http listener at the SP site? 
> 
> If you've followed through all this "voyage of discovery", you might
> feel like I do that something critical is missing from the story, in the
> area of cardspace. I'm worried I'm could be entirely wrong track, when
> it comes to understanding the role of cardspace, in the open world. For
> example, its possible that OpenID + cardspace is just an implementation
> issue - leveraging the 'trusted desktop" that comes when one applies
> CardSpace. That's entirely valuable, but not earth-shattering.
> 
> 
> 
> I think this memo was way too long! Well done, if you got here without
> hitting delete!
> 
> 
> 
> 
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
> 
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
> 
>

More information about the general mailing list