OpenID 3.0

NISHITANI Masaki m-nishitani at nri.co.jp
Wed Feb 27 05:12:42 UTC 2008


As you said, it sound natural for me to use end-user 
(identity holder)'s attribute delivered via SREG or AX as a 
factor to decide RP's behavior. Such as provides a financial 
counseling service only for users who discloses their amount 
of incomes to the RP.

But in such case, there will be a room to fill by proceeding 
the specs of OpenID to the next step.

One of the most major cases of an authorization with 
attributes delivered by OpenID is a age confirmation on 
online liquor stores. But I do not think current OpenID is 
not enough to fit such 'serious' case.
Age confirmation does not work if the OP is not trustworthy 
enough though OpenID does not support any method to verify OPs.

I feel, just as talked in other trees, implementing support 
for reputation services or any other effort to bring more 
'trustworthy transaction' into OpenID will come to the place.



> in a B2B case, would not the insurance agency be the OP, and its 
> identity carried through the relevant assertion fields?
> 
> As Masaki-san points out, the RP can base its authorization decision on 
> any number of factors - some of which might be carried through OpenID, 
> some not. In this sense, OpenID is already 'converged' with 
> authorization, as an RP already bases its authz decision on the asserted 
> identifier. Allowing for the protocol to carry other attributes that 
> might also feed into the decision is just an enhancement.
> 
> Theoretically possible would be for the OP assertion to actually carry 
> an 'authorization statement' expressing some set of privileges the user 
> should enjoy at the RP (and that the RP would respect). Possible, but 
> weird because of the implied loss of sovereignty for the RP.
> 
> paul
> 
> McGovern, James F (HTSC, IT) wrote:
>>  If you were going to use OpenID in a B2B scenario where an insurance
>> agent want to access an insurance carriers web site, the identity
>> provider would need to not only pass the identity of the agent but also
>> the insurance agency, the insurance agent is employed by.
>>
>> -----Original Message-----
>> From: NISHITANI Masaki [mailto:m-nishitani at nri.co.jp] 
>> Sent: Tuesday, February 26, 2008 1:10 AM
>> To: McGovern, James F (HTSC, IT)
>> Cc: specs at openid.net
>> Subject: Re: OpenID 3.0
>>
>> Let me confirm a point.
>>
>> On #1, do you mean to enforce OpenID to control the identity-holders are
>> permitted to access what kind of content or service on RP or provide
>> some kind of help making 
>>    RP's decision easier?
>>
>> I feel it is natural for RP to do access-control be itself, but on the
>> other hand, any information which describes what kind of person the
>> accessing web-user is, will be welcome for RPs such as gender, age or
>> any kind of attributes.
>>
>> McGovern, James F wrote:
>>   



More information about the specs mailing list