Anyone seen xauth.org?
Nate Klingenstein
ndk at internet2.edu
Tue Apr 20 19:57:32 UTC 2010
Chris & John,
Sorry for the delayed response. This'll be the last I can fire off
for awhile, as I'm traveling.
> I don't think anyone was interested in starting up another instance
> of mailing list software.
Shouldn't the XAuth project run its own mailing lists? If it aims to
be the session cache for all social identity, it should have enough
institutional infrastructure to do so.
> Do you know of any that already support OpenID and/or federated
> identities?
Absolutely. We run federated email lists using Sympa, a MLM developed
in France. We usually front-end it with Shibboleth and use SAML, but
you could just as easily do so with OpenID and AX(or even SREG).
http://en.wikipedia.org/wiki/Sympa
http://www.sympa.org/manual/authentication
There may be others I'm not aware of. Beyond that, there are plenty
of options that just validate a non-bouncing email address without
grabbing a password in the process.
> I mean, they'd presumably require an email address anyway, right?
Sure, you pass that as an attribute. See the Sympa docs for examples
with a variety of protocols.
On Apr 20, 2010, at 4:41 PM, John Panzer wrote:
> (Note that a Google account in this case essentially means
> registering an email address of your choice and associating a
> password of your choice with it...)
Surely you know how much phishing pain this flavor of registration
process causes us. We can't even check that the password selected is
different. Here are 4 news articles from the last week or two about
phishing attacks targeting students. I can send more.
http://www.wkuherald.com/2010/04/13/scam-e-mail-prompts-warning/
http://www.thesetonian.com/news/pcss-warns-students-about-phishing-scam-1.1311310
http://www.spamfighter.com/News-14204-Multiple-Phishing-Scams-Hit-WSU-Campus.htm
http://sunbeltblog.blogspot.com/2010/04/phishers-target-students-with-fake.html
This authentication process is not really in keeping with the
philosophy of federated identity that Google is so rightly
promulgating and leveraging effectively in other places, e.g. Google
Apps for Education. I just wanted to know if there were a better way.
Is there any momentum in Google for support of something like this?
It would be killer for us and make Google Groups way more appealing
for use in education.
Thanks for the responses,
Nate.
More information about the specs
mailing list