[OpenID] OpenID & Estonia.

[Troy Benjegerdes]

On Mon, Jun 04, 2007 at 12:10:21PM +0200, Simon Josefsson wrote:
> Hello Martin!
> 
> I am interested in combining OpenID with eID in Sweden.  I am the
> maintainer of GnuTLS, and in an experimental branch I have support for
> eID-based smart card authentication in TLS.  I have a GnuTLS server up
> and running, and have tested my Swedish eID-card via a GnuTLS-based
> browser and it seems to work fine.  The final step is to build the
> OpenID server, and I have some experience there (adapting the JanRain
> example PHP server for youbico.com's server).
> 
> Do you have source code available?  I have started looking at modifying
> JanRain's PHP server to support PKI-authentication, and it looks simple
> to do.  If you have something ready, or we can build something together,
> I'd be very interested to hear about your design and implementation.

FYI, I'm also interested in using two-factor authentication for an
OpenID. In my case, I have a pam module for CryptoCard's two-factor keychain
tokens and code to initialize a token. I would like to extend the
cryptocard support to work with Heimdal Kerberos, and integrate that
with an OpenID server.

One thing I think anyone working on any sort of 'eID' should keep in
mind is that there is no reason it has to be a government issued ID. And
I'll also claim that for ID on the world-wide internet, that having
several widely used non-governmental organizations with strong ID
guarantees will be a necessity.

I think any of us involved in developing server software for two-factor 
authenticated openID's should make an effort to ensure that there is at
least one option for some third party to get the hardware tokens that
are being used, and initialize them with their own keys or secrets.