[OpenID] card space and openid. Peter just doesn't get it, yet.

Eric Norman ejnorman at doit.wisc.edu
Sun Jul 22 23:16:28 UTC 2007


On Jul 22, 2007, at 4:34 AM, Peter Williams wrote:

> In one deployment, there are OpenID Provider and Consumer agents. The 
> Provider of course redirects to a local user authentication page on 
> that website - a matter that is defined in the OpenID spec as "local 
> matter" not subject to normalization. At this point, all issues of 
> OpenID protocol compliance end.
>
> In that same deployment, the implementor of "the local matter" happens 
> to exploit a cardspace-complying protocol entity to complete the local 
> matter of : user authentication. At this point, all issues of ws-trust 
> protocol compliance begin.

> Is there anything more to "cardspace + OpenID" than this example of a 
> "simple gateway" architecture, where one sp-initiated WebSSO protocol 
> (OpenID Auth) is mapped into another sp-initiated flow (using 
> ws-trust)?

I have seen three different proposals floating around
about how to "integrate" CardSpace and OpenId.  I'll
try to summarize them with emphasis on who needs to
be able to speak which language/protocol.

(1)  CardSpace used to authenticate to OP, OpenID
otherwise for all communication.  (This is what I
think the above says).

*  User and OP need to speak CardSpace.
*  RP needs to speak OpenID only.
*  OP needs to speak OpenID (well of course it does).

(2)  CardSpace used to supply OpenID URL to RP,
then OpenID takes over.

*  RP needs to speak both CardSpace and OpenID.
*  User needs to speak CardSpace.
*  OP still speaks OpenID.

?  If both RP and user can speak CardSpace, then
what value would OpenID add?  Mobility in the
near future? (That's about all I can think of).

(3) CardSpace uses OP as one of its IdPs.

*  User has to speak both CardSpace and OpenID
(this is actually an addition to CardSpace;
user only "sees" CardSpace.
*  RP needs to speak CardSpace only.
*  No change with OP.

I believe that last one (3) has been effected
by the Bandit project (http://www.bandit-project.org)

Eric Norman
http://ejnorman.blogspot.com




More information about the general mailing list