[OpenID] openid and acl's
Steven Livingstone
weblivz at hotmail.com
Sat Aug 4 08:01:03 UTC 2007
I like the idea of this Henry - quite simple really. The issue is how to create sub-groups etc - it seems your solution works for specific id's and for the provider in general as a group.
The difficulty in using SAML/XACML in my view is in implementation - they are quite large specs and I think OpenID has done well in that it hasn't to overly complex. It's balance as i could easily accomplish defining who is to access resource X, if i were to simply take the URI for resource X and add one or more OpenID's to it (permitting access) and sign this with my OpenID. I could store this data anywhere - independently of my FOAF data.
This may not be ideal in a purist view, but i could have this working in two hours. Implementing SAML/XACML is quite a bit more complex (in fact looking through the archives i see this has been brought up before).
Henry - your blog discusses something that would be simple to implement which is why i like it. I can see how it could be extended as i discuss above to allow (lightweight) distributed access controls... in fact a third party taking two independently authenticated OpenID's could verify access to a resource as a service i would think.
The question in doing something like this is how far do you want to go. I remember back in 2000 or so many groups i worked on creating Xml Schemas that covered every scenario possible and they were just never adopted... a good example is the success of RSS over NewsML, one is a couple of pages long in spec, the other about 50 :) I personally thing lightweight authorization through OpenID would be a nice start.
steven
http://livz.org
> From: henry.story at bblfish.net> Date: Sat, 4 Aug 2007 08:40:04 +0200> To: joseph at josephholsten.com> CC: scott at kveton.com; general at openid.net> Subject: Re: [OpenID] openid and acl's> > On 3 Aug 2007, at 19:59, Joseph Holsten wrote:> > Scott Kveton wrote:> >>> Anyone discussed the idea of using OpenID as a basis for a > >>> distributed ACL's> >>> system?> > One thing that's important about ACLs is grouping. You wouldn't acces> > a firewall that requires you to type in every single IP address. You> > wouldn't use windows permissions where you needed to specify every> > user's access.> >> > Has someone proposed a wildcard scheme or group identifier via OpenID,> > because that would be awesome.> > > In "A Foaf File for Sun" [1] I argue that the Authorization service > can be thought of as a group identifier. The Authorization service is > a group membership verifier.> > This can be used to give people access to different parts of the web > using RDF. An example I give is how this could be used to make access > to the W3C just a question sending someone Sun's foaf file.> > > Henry> > [1] http://blogs.sun.com/bblfish/entry/a_foaf_file_for_sun> > _______________________________________________> general mailing list> general at openid.net> http://openid.net/mailman/listinfo/general
_________________________________________________________________
Messenger Café — open for fun 24/7. Hot games, cool activities served daily. Visit now.
http://cafemessenger.com?ocid=TXT_TAGLM_AugWLtagline
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070804/202dcc10/attachment-0002.htm>
More information about the general
mailing list