[OpenID] openid and acl's

[Scott Kveton]

> Anyone discussed the idea of using OpenID as a basis for a distributed ACL's
> system?

I'd be really interested in being able to do this but I run into two
problems when I start to think of a solution:

- How do you 'share' the list with other sites?  Can you do this
out-of-band (i.e. without browser interaction)?  Is this another
protocol waiting to happen?  Or can we use something like FOAF or XFN
to do this?

- Chicken & egg problem ... what if I don't want to share my ACL list
with everybody?  How do I decide who gets access if they can't see my
ACL? :-)  We don't have a means of doing
have-this-service-act-on-my-behalf yet for OpenID (although I know
some folks are working on something like this) ... or does this
problem even matter?  Can we safely assume that if you're using an
OpenID you don't mind sharing your ACL's?

I know Tom from barnraiser.org has been working on this and discussing
it here on the list.

>  For example, Amazon S3 allows you to set ACL's on data, but would be nice
> if this was based on an authenticated OpenID.

I believe I heard at OSCON that Amazon is using OpenID internally ...
would be great if you could hook OpenID to S3 somehow.

- Scott