[OpenID] Demo Travel/ retailshop

Peter Williams pwilliams at rapattoni.com
Sun Apr 26 15:15:56 UTC 2009


the main problem I see is the expectation that only OPs (in the pure openid model) will have the consent/authorization/audit necessary for a sensitive attributes.

Will a data provider (aka attribute provider) in the OAUTH model?

This is quite a sublte shift of the openid model, due to OAUTH. Not only is openid protocol getting the benefits of the delegation mechanism that faciliate openid RP talking to (policy-authorized) OAUTH SPs, but now OP are no longer the aggregated repository of sensitive atrtibute handling.

This affects the user's UCI model in some interesting ways.

Yes - it illustrates more UCI-ness - as one can have paypal SP as the repository for one's credit card info, while Google OP is the repository for one's UPN/email/openid and public attributes, and another party is in charge ot hte discovery controls.

No - it makes the openid RP need to be ABLE to handle certain attribute (e.g. PCI controlled cc info) at the same control level as the OAUTH SP, once released/delegated/received.

Speaking intuitively, that the OAUTH session key management is not linked to the control protocols of OpenID AUth worries me. It makes openid a boostrap for OAUTH session, but openid is not in control. With my UCI hat on, i LIKE that. With my security professional hat one, I dont like the design ocncept - as centralized connection management policy (effected by openid, front an network policy server - Microsoft NAP or CISCO ACS) MUST also be in charge of the subkeying on subprotocols - such as OAUTH.


________________________________
From: Andrew Arnott [andrewarnott at gmail.com]
Sent: Sunday, April 26, 2009 7:10 AM
To: Santosh Rajan
Cc: Peter Williams; general at openid.net
Subject: Re: [OpenID] Demo Travel/ retailshop

Remember (I say this to everyone on the list),

Just because PayPal would make an excellent source of this information, that doesn't mean that it should become an OP.  In the interest of the SSO model, since we seem to have enough big OPs out there, why not have PayPal become an OAuth Service Provider.

Imagine... you're already logged into eBay using your preferred OP.  You're now ready to purchase.  Why make you log in again using PayPal?  Instead, just click the Pay With PayPal button.  You see PayPal pop up, asking you to verify the purchase/bid/whatever.  You click Yes.  You see eBay again, and it has received all the info it needs.  If you weren't already signed into PayPal you may need to sign in there before clicking "Yes", but you're strictly logging into PayPal and not re-logging into eBay.

You don't need to be an OP to be able to provide this info.  If authentication isn't strictly necessary, OAuth is usually the right choice.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire


On Sun, Apr 26, 2009 at 5:54 AM, Santosh Rajan <santrajan at gmail.com<mailto:santrajan at gmail.com>> wrote:
I think Visa. Mastercard etc will get into the act!
Incidentally Paypal is an excellent position to be an OP for shopping sites, because not only can it provide a verified email address, it can also tell the RP if the user is a paypal verified user. ie. he has a verified credit card.(Of cource they will need to communicate this info somehow).


On Sun, Apr 26, 2009 at 5:28 PM, Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>> wrote:

so where are poeple planning on storing (partial) credit card data -

1. at the op (paypal OP model) attribute server
2. in the release module of the OP, udner user control
3. at the discovery agent (users XRDS, somehow protected)
4. one of the RPs
5. a super RP trusted by other RPs?


its a good test of the UCI/openid model, as now we have a sensitive attribute to worry about. Noone can just wave their hands and say : openid is for things that dont matter much...
________________________________________
From: general-bounces at openid.net<mailto:general-bounces at openid.net> [general-bounces at openid.net<mailto:general-bounces at openid.net>] On Behalf Of Santosh Rajan [santrajan at gmail.com<mailto:santrajan at gmail.com>]
Sent: Saturday, April 25, 2009 8:03 PM
To: general at openid.net<mailto:general at openid.net>
Subject: Re: [OpenID] Demo Travel/ retailshop

I am willing to help.


nieuwsgroep wrote:
>
> I think Brain Kissel and the others of the retail advisory committee
> (http://www.slideshare.net/bkkissel/openid-foundation-retail-advisory-commit
> tee-webinar?type=powerpoint) did a great job summarizing the benefits of
> OpenID for retailers. It really helps to discuss OpenID with some of the
> relying party decision makers.
>
>
>
> In addition to the presentation I think it would help a lot if these
> benefits can be showed in an online demo. Convincing potential RP's to
> start
> a pilot project.
>
>
>
> Anyone working on a retail demo that shows the benefits by the following
> scenario:
>
>
>
> 1.       Register online on a demo travelshop with an openid collecting as
> much as profile data to prefill the registration form.
>
> 2.       Return to the travelsite and easily login with an OpenID
>
> 3.       Book a demo holiday and post this back to my IDP/ Social profile
> (Like facebook or myspace) telling my connections I planned a holiday with
> DemoTravelshop.
>
> 4.       Additionally easily redirect (Federated login) to a demo
> partnersite to rent a car.
>
>
>
> A good demo like this would  complement the story to potential RP's and
> make
> it more tangible.
>
>
>
> Anyone working on such a demo, plans to, or willing to help on this?
>
>
>
> Kick
>
>
>
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net<mailto:general at openid.net>
> http://openid.net/mailman/listinfo/general
>
>


-----

Santosh Rajan
http://santrajan.blogspot.com http://santrajan.blogspot.com
--
View this message in context: http://www.nabble.com/Demo-Travel--retailshop-tp23236118p23238762.html
Sent from the OpenID - General mailing list archive at Nabble.com.

_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net>
http://openid.net/mailman/listinfo/general


_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net>
http://openid.net/mailman/listinfo/general





More information about the general mailing list