[OpenID] Where's the added value?

Gerald Beuchelt beuchelt at sun.com
Wed Aug 29 19:53:10 UTC 2007 

Just to be even more pedantic on the terminology: No Infocard "carries" 
any tokens. Instead, they reference endpoints where tokens can be obtained.

Johnny Bufu wrote:
> On 29-Aug-07, at 11:53 AM, Eric Norman wrote:
>   
>>> The OpenID Information Cards specification targets existing OpenID
>>> RPs (which require minimal changes), and offers them a new means of
>>> requesting / transporting the OpenID claims / assertions, which has
>>> a few advantages over the regular OpenID flow.
>>>       
>> Well, that's the question.  What are those advantages to the
>> relying party, or to the user, or to any other stakeholder.
>>     
>
> For the RP: if it requires logins with an OpenID Infocard, it will  
> know that the user - OP/STS authentication is phishing resistant.
>   
It should be noted that this is only real news for the OpenID token - 
and can also be averted by other means.
>> The RP already has to install, configure, and maintain code
>> that can deal with Information Cards carrying SAML tokens
>> (to use your terminology).
>>     
>
> Why is that? SAML tokens are not required by the Infocard specs.
>   
Hmm, let's just take a quick step back: what is today and - very likely 
- also going forward the most commonly deployed Infocard-enabled RP? 
That would be IIS with the .NET Framework. And this platform has 
built-in support for SAML 1.x tokens.

Also, ANY relying party that would like to support self-signed cards 
MUST also support SAML 1.1. So, while theoretically true, this statement 
is at least somewhat unrealistic.

Therefore I think that Eric raises a very good point: if the RP supports 
SAML tokens anyway (which is quite likely), why should it burden itself 
to also accept OpenID tokens. At the end of the day, ALL Windows 
CardSpace clients can at least provide SAML 1.1 tokens.

And as far as trust goes, the WCS self-signed tokens are on exactly the 
same footing as any OpenID token.

Sorry to be a little obnoxious about this topic, but I personally think 
that the way the OpenID tokens are proposed, they will neither benefit 
OpenID, nor the Infocard identity system. I could stay quiet, rejoice 
and hope that Liberty take their place, but (i) that would be cynical 
(especially after issuing a NAC) , but more importantly (ii) I think 
that the potential backlash would hurt the efforts of all identity 
system developers.

Best,

Gerald

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070829/d196ec92/attachment-0002.htm>

More information about the general mailing list