[OpenID] Rule of thumb

Andy Powell andy.powell at eduserv.org.uk
Thu Jul 12 09:35:06 UTC 2007 

I think the potential use of OpenID within the education sector is an
interesting middle ground here since, in general, formal educational
systems (i.e. those delivered within the campus or by external suppliers
with whom there is a contractural relationship) fall outside your 95%
email-based registration validation systems but we're seeing an
increasing use by both students and faculty of services that are inside
the 95%.

I recently asked a question on the relevant 'middleware' mailing list
for UK universities about the trust issues in a scenario where a
lecturer sets a student a task of writing a blog which the student
undertakes on an external blogging service using their
institutionally-provided OpenID.  The question caused some debate (more
debate than I was expecting), which I summed up as follows:

--- cut ---

I posted a scenario that involved a lecturer (setting and assessing a
task), a student (undertaking that task), an institution (acting as
OpenID Provider and wanting to ensure the validity of any assessed work)
and an external Web 2.0 blog service (where the task is actually
performed).

I think this is a prefectly valid scenario, and one that will become
significantly more common in the future.  I was at the Telling More
Stories e-portfolio conference in Wolverhampton recently where a lot of
the reported case studies around e-portfolios included scenarios very
much like this.  I also think it is an area where a Shibboleth approach
is weak, because of its lack of penetration into mainstream services
outside the education sector.

I asked if using an institutional OpenID to sign into an external
blogging service gives us sufficient confidence in whether a given
student is submitting a given bit of work to be a viable way forward for
institutions, given 'quality assurance' and other types of issues.

I think I heard both (implicitly) "yes, OpenID is OK in this scenario"
and (explicitly) "no, don't touch OpenID with a bargepole, it isn't
worth the plastic it's written on" type responses.

Is that a reasonable summary?

I'm still struggling to weigh up these responses.  I'm still struggling
to understand if OpenID is useful/sensible in this scenario or not.

--- cut ---

Note that my scenario in this case only goes part way towards what I
think we'll actually see in the future, which is that students will turn
up at university with an existing OpenID that they want to use (rather
than using a university-provided OpenID).  But I think that the trust
issues in that scenario are significantly more complicated, so I didn't
want to raise it at this stage.

I'd be interested in people's views on the scenario presented above.

Andy
--
Head of Development, Eduserv Foundation
http://www.eduserv.org.uk/foundation/
http://efoundations.typepad.com/
andy.powell at eduserv.org.uk
+44 (0)1225 474319 

> -----Original Message-----
> From: general-bounces at openid.net 
> [mailto:general-bounces at openid.net] On Behalf Of Evan Prodromou
> Sent: 11 July 2007 23:48
> To: general at openid.net
> Subject: [OpenID] Rule of thumb
> 
> So, the list seems to be generally cogitating about the issue 
> of which OpenIDs to allow access to a system. I'd like to 
> suggest the following rule of thumb for people considering OpenID:
> 
>         If your current registration validation system 
> consists of email
>         address verification or less, then OpenID is probably fine for
>         you.
> 
> I think this rule of thumb covers well north of 95% of 
> publicly-accessible Web sites. You can block individual bad 
> behavers on a case-by-case basis, and you can block bad-boy 
> servers that give out IDs to bad behavers (or that try to 
> exploit weaknesses in OpenID
> implementations) in whole.
> 
> I think the remaining public Web sites are mostly banks and 
> credit card companies, and they're probably not going to 
> implement any authentication system, anyways. They don't 
> accept browser certs, and they're not going to accept OpenID, 
> until it's as ubiquitous as username/password.
> 
> The question of private Web sites -- intranets, extranets -- 
> seems really easily handled with white/blacklists, but maybe 
> that's just me.
> 
> I think that if there's anything else, it's dating sites, 
> homestay networks, and parenting sites that use in-person 
> verification to make sure that the person posting is real and 
> non-creepy. I don't think that OpenID has much to offer these 
> communities, and twisting it from an authentication protocol 
> to a profile verification protocol is unhealthy.
> 
> I think there is a possibility for building up a web-of-trust 
> system based on OpenID, but I don't think it's in-scope for 
> the specification itself.
> 
> -Evan
> 
> --
> Evan Prodromou <evan at prodromou.name>
>

More information about the general mailing list