OpenID 3.0

Paul Madsen paulmadsen at rogers.com
Tue Feb 26 18:23:15 UTC 2008


in a B2B case, would not the insurance agency be the OP, and its 
identity carried through the relevant assertion fields?

As Masaki-san points out, the RP can base its authorization decision on 
any number of factors - some of which might be carried through OpenID, 
some not. In this sense, OpenID is already 'converged' with 
authorization, as an RP already bases its authz decision on the asserted 
identifier. Allowing for the protocol to carry other attributes that 
might also feed into the decision is just an enhancement.

Theoretically possible would be for the OP assertion to actually carry 
an 'authorization statement' expressing some set of privileges the user 
should enjoy at the RP (and that the RP would respect). Possible, but 
weird because of the implied loss of sovereignty for the RP.

paul

McGovern, James F (HTSC, IT) wrote:
>  If you were going to use OpenID in a B2B scenario where an insurance
> agent want to access an insurance carriers web site, the identity
> provider would need to not only pass the identity of the agent but also
> the insurance agency, the insurance agent is employed by.
>
> -----Original Message-----
> From: NISHITANI Masaki [mailto:m-nishitani at nri.co.jp] 
> Sent: Tuesday, February 26, 2008 1:10 AM
> To: McGovern, James F (HTSC, IT)
> Cc: specs at openid.net
> Subject: Re: OpenID 3.0
>
> Let me confirm a point.
>
> On #1, do you mean to enforce OpenID to control the identity-holders are
> permitted to access what kind of content or service on RP or provide
> some kind of help making 
>    RP's decision easier?
>
> I feel it is natural for RP to do access-control be itself, but on the
> other hand, any information which describes what kind of person the
> accessing web-user is, will be welcome for RPs such as gender, age or
> any kind of attributes.
>
> McGovern, James F wrote:
>   
>> Figured I would ask if anyone is interested in brainstorming the next 
>> version of OpenID and how it can be used in Enterprise B2B settings 
>> and not solely focusing on consumerish interactions. Some things that 
>> I would like to see in the next version are:
>>
>> 1. A discussion on how AuthZ can converge with OpenID 2. Modeling of 
>> relationships 3. Not allowing an OpenID to be a vector for SQL 
>> Injection and putting something around what it should look like 4. A 
>> way to indicate to the relying party what level of authentication has 
>> occurred such as did the OP check a password, how did it validate a 
>> user. Without this, there is no way that a trust model could be 
>> established in a credible way.
>>
>> 5. A way for OpenID relying parties to filter out Ops. In a business 
>> scenario, if I run the Sun employee store, I may only want the Sun OP 
>> to talk with me.
>>
>>
>>
>> **********************************************************************
>> *** This communication, including attachments, is for the exclusive 
>> use of addressee and may contain proprietary, confidential and/or 
>> privileged information. If you are not the intended recipient, any 
>> use, copying, disclosure, dissemination or distribution is strictly 
>> prohibited. If you are not the intended recipient, please notify the 
>> sender immediately by return e-mail, delete this communication and 
>> destroy all copies.
>> **********************************************************************
>> ***
>>
>>
>> ----------------------------------------------------------------------
>> --
>>
>> _______________________________________________
>> specs mailing list
>> specs at openid.net
>> http://openid.net/mailman/listinfo/specs
>>     
>
>
>
> *************************************************************************
> This communication, including attachments, is
> for the exclusive use of addressee and may contain proprietary,
> confidential and/or privileged information.  If you are not the intended
> recipient, any use, copying, disclosure, dissemination or distribution is
> strictly prohibited.  If you are not the intended recipient, please notify
> the sender immediately by return e-mail, delete this communication and
> destroy all copies.
> *************************************************************************
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
>
>   

-- 
Paul Madsen             e:paulmadsen @ ntt-at.com
NTT                     p:613-482-0432
                        m:613-282-8647
                        aim:PaulMdsn5
                        web:connectid.blogspot.com 




More information about the specs mailing list