Anyone seen xauth.org?

Nate Klingenstein ndk at internet2.edu
Tue Apr 20 19:57:32 UTC 2010


Chris & John,

Sorry for the delayed response.  This'll be the last I can fire off  
for awhile, as I'm traveling.

> I don't think anyone was interested in starting up another instance  
> of mailing list software.

Shouldn't the XAuth project run its own mailing lists?  If it aims to  
be the session cache for all social identity, it should have enough  
institutional infrastructure to do so.

> Do you know of any that already support OpenID and/or federated  
> identities?

Absolutely.  We run federated email lists using Sympa, a MLM developed  
in France.  We usually front-end it with Shibboleth and use SAML, but  
you could just as easily do so with OpenID and AX(or even SREG).

http://en.wikipedia.org/wiki/Sympa
http://www.sympa.org/manual/authentication

There may be others I'm not aware of.  Beyond that, there are plenty  
of options that just validate a non-bouncing email address without  
grabbing a password in the process.

> I mean, they'd presumably require an email address anyway, right?

Sure, you pass that as an attribute.  See the Sympa docs for examples  
with a variety of protocols.

On Apr 20, 2010, at 4:41 PM, John Panzer wrote:

> (Note that a Google account in this case essentially means  
> registering an email address of your choice and associating a  
> password of your choice with it...)

Surely you know how much phishing pain this flavor of registration  
process causes us.  We can't even check that the password selected is  
different.  Here are 4 news articles from the last week or two about  
phishing attacks targeting students.  I can send more.

http://www.wkuherald.com/2010/04/13/scam-e-mail-prompts-warning/
http://www.thesetonian.com/news/pcss-warns-students-about-phishing-scam-1.1311310
http://www.spamfighter.com/News-14204-Multiple-Phishing-Scams-Hit-WSU-Campus.htm
http://sunbeltblog.blogspot.com/2010/04/phishers-target-students-with-fake.html

This authentication process is not really in keeping with the  
philosophy of federated identity that Google is so rightly  
promulgating and leveraging effectively in other places, e.g. Google  
Apps for Education.  I just wanted to know if there were a better way.

Is there any momentum in Google for support of something like this?   
It would be killer for us and make Google Groups way more appealing  
for use in education.

Thanks for the responses,
Nate.


More information about the specs mailing list