[OpenID] Can one use Generic OpenIds

Martin Atkins mart at degeneration.co.uk
Sun Jun 3 18:29:00 UTC 2007 

Peter (pt) Sefton wrote:
> Hi,
> 
> I'm new here. I have tried to find an answer to my question via the 
> archive and the rest of the web, but no luck.
> 
> Is it reasonable to use OpenId with generic IDs? For example could my 
> employer, a university have a generic ID like 
> http://openid.myuni.edu.au/staff which would authenticate me as an 
> anonymous staff member? We could then make a federation of universities 
> who all trusted each other staff, maybe to provide WIFI.
> 
> For other cases which required the site I am visiting to know who I am, 
> I could use http://openid.myuni.edu.au/staff/my.name. 
> 
> Maybe I also have a role as a student: 
> http://openid.myuni.edu.au/student/postgrad.
> 
> In this case I would not have to even remember all these URLs - the host 
> site could have a kind of "Where are you from, what role do you have" 
> form, so I would pick my home institution off a list, then say I'm a 
> staff member and I want to remain anonymous, which is enough to generate 
> the id: http://openid.myuni.edu.au/staff
> 
> Is this being done already? Is it wrong in some way?
> 

I'm coming a bit late into this discussion (still catching up on all 
this mail I got while I was on vacation), but I want to chime in on this...

Currently, the solution to the use-case you mentioned about giving 
special access to people from a particular organisation is to attempt to 
match their identifier URI to a particular pattern. For example, AOL 
users can be matched by something like m!^http://openid.aol.com/(.*)$!.

However, I'm not a big fan of basing roles on identifier matching, since 
it leads to users being forced back into using different identifiers for 
different services again, rather than having the choice of presenting 
whatever identifier they deem appropriate in a particular situation. My 
proposed solution was the Group Membership Protocol:
     <http://openid.net/wiki/index.php/Group_Membership_Protocol>

To satisfy your use-case of proving you are a member of staff at 
myuni.edu.au, the university would expose a trusted group URI which 
other organisations could check for membership. To provide anonymity, 
the OP at your university could support directed identity.

Sharing a single identifier is not ideal because it means that you must 
then share a user account with all other users who use the same 
identifier to access a particular service.

More information about the general mailing list