[OpenID] thoughts on a consumer driven idp affiliate program

David Nicol davidnicol at gmail.com
Tue Jan 9 06:01:30 UTC 2007


I think you are suggesting a system for real SSO, instead of simply
password-skipping.
I may be entirely wrong.  I may be raving.

With openID, when I enter a new auth domain, I need to identify myself.  I have
already logged in to the service I log in to, and openID does a little
dilligence to
verify that I really am who I say I am.  openID, as far as I can tell,
makes no attempt
to identify me in advance to new auth domains.  openID eliminates
pesky passwords
but does not eliminate pesky whoami claims.

AIS, which currently works only with e-mail addresses and does not have a whole
lot of traction outside of my own pet projects, but which is
essentially the same as
bitcard, provides a way for a new auth domain to find out who I am, and I trust
bitcard to not spill the beans about whoami to just anywhere without
my permission.

Doing that needs either centralization or a new standard for a whoami protocol,
not unlike form autofill (once the province of things like gator, now
included in
modern web browsers) -- form autofill plus openID pretty much does it,
that is the
way we are heading.

Without form autofill, with a server-side centralized SSO service
(that does whoami
as well as areyoureallywhoyousayyouare) may make sense, and I understand that
to be the mechanism you are suggesting.

It can easily be done with a centralized service.  As a decentralized
service however,
how would it work?

Maybe it would work sort of like multicast packet routing.  In
multicast packet routing,
a host that wants to receive a multicast stream informs its local
router that it would like
to receive the stream, and the router informs its peers that there is
a request for the
stream, and so on until the request gets to somewhere that has the
stream and then
the packets start flowing, and in an ideal world all ten billion of us
listen to the same
streaming audio with exactly one copy of the packets throbbing all
over the world in
a perfect minimal spanning tree.

An openID-based multicast-like system would automatically federate the identity
consumers, perhaps based on user IP address, or maybe MAC address.
Unfortunately
the security implications would be rapidly very staggering, and we're back at
Zooko's triangle.




-- 
pre-Α, Α, Β, rc, release.


More information about the general mailing list