[OpenID] card space and openid. Peter just doesn't get it, yet.

Andrew Tomlinson adt at cannontomlinsonbyrne.com
Fri Jul 13 10:10:42 UTC 2007


Cardspace ease of roaming between machines seems very limited - similar to
client certificates. I have it on good authority that they are working on
improving this for the next version of cardspace...

Unmanaged cards alone can't deliver a verified OpenID url. Of course the RP
can verify the url afterwards on a click to test basis as alternate
authentication schemes, but this isn't the same thing as delivering a
verified url.

With OP supplied managed cards it is a different story as verification is
performed by secure token exchange from User->RP->User->OP->User->RP to
prove the claims in the card. To tie this back to OpenID the RP would have
to be able to tie the claimed url back to the OP. If through discovery the
XRDS lists the OP who supported the url claim (might have to be under a
different service in the XRDS so the url can be different to the OpenID one)
then the card's url claim is also good enough to allow the user access to
the corresponding OpenID's account. You don't have to do any further
authentication steps.

In this way you can use the managed card from your OP when at home and
OpenID when roaming.

Let me know if there are any holes in this argument as this is off the top
of my head. Also I haven't implemented cardspace yet so whether this is
possible today is another story...

Andrew

-----Original Message-----
From: John Panzer [mailto:jpanzeracm at johnpanzer.com] 
Sent: 12 July 2007 16:01
To: Andrew Tomlinson
Cc: general at openid.net
Subject: Re: [OpenID] card space and openid. Peter just doesn't get it, yet.

1. One of the issues with CardSpace is portability -- it's nice to have 
a phishing-resistant option available 90% of the time, and a roaming 
option for when you need access from a different computer or a device 
that doesn't do CardSpace yet.

2. If I actually want to use the same identity across sites, how would 
CardSpace alone provide a verified URL identity to an RP?  (The key here 
being verified of course.)  What's the canonical way to do this with 
CardSpace alone?

Andrew Tomlinson wrote:
> I have only seen OpenID + Cardspace expressed as anti-phishing protection
> for the user OP protection:
> 
> http://www.identityblog.com/?p=659
> 
> You appear to know far more about protocols than me, but the only reason I
> can think of for using Cardspace with the RP is a way to convey the
identity
> url and the wish to use OpenID. Then you bounce around in usual fashion.
> 
> Seems a bit too much technology to achieve very little benefit. Why not
> simply offer Cardspace and OpenID as separate options at the RP? Anything
> more seems like a massive shoehorn.
> 
> Maybe I am missing something too ;)
> 
> Andrew
> 
> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Peter Williams
> Sent: 12 July 2007 11:20
> To: general at openid.net
> Subject: [OpenID] card space and openid. Peter just doesn't get it, yet.
> 
> Ok. Im not on the same plane as all you guys who the write these
> standards - or the libraries. But, as simple a buyer and operator of a
> major US national-scale ID system, I've been trying real hard over the
> last 12 months to understand and apply all the internet-era identity
> technologies out there - mostly by practicing with tools, libraries, and
> actual servers.
> 
> But, I still don't get cardspace + openid.
> 
> ...
> 
> 
> Then, there is cardspace + openid, again.
> 
> 
> Ok. Cardspace can send "tokens" - to the requesting website. The token
> data structure can be any syntax/format, including the syntax this
> community uses in the signed blob that underlies OpenID's means of
> communicating assertions.
> 
> Is that what folks mean, when they say cardspace + openid? - leverage
> the syntax of the OpenID signed blob?
> 
> Or, is there a role for the OpenID Auth protocol - where perhaps the
> cardspace active control and supporting cardspace libraries in a trusted
> OS can ask (using OpenID Auth protocol) a web-based third party "managed
> infocard provider" - implemented as an OP - to provide the (Signed)
> OpenID assertion token, which the control then relays to the peer
> cardspace handler in the http listener at the SP site? 
> 
> If you've followed through all this "voyage of discovery", you might
> feel like I do that something critical is missing from the story, in the
> area of cardspace. I'm worried I'm could be entirely wrong track, when
> it comes to understanding the role of cardspace, in the open world. For
> example, its possible that OpenID + cardspace is just an implementation
> issue - leveraging the 'trusted desktop" that comes when one applies
> CardSpace. That's entirely valuable, but not earth-shattering.
> 
> 
> 
> I think this memo was way too long! Well done, if you got here without
> hitting delete!
> 
> 
> 
> 
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
> 
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
> 
> 





More information about the general mailing list