[OpenID] Can one use Generic OpenIds

Terry Hayes Terry.Hayes at corp.aol.com
Tue May 22 20:02:22 UTC 2007 

I think a major problem with this approach (generic/collective ids)  
is that it provides no way for the RP to identity the particular  
entity that was using the ID.  While it may not be important during  
the initial transaction, providing a method to attribute actions to a  
particular source may be important in some contexts.

A typical solution to this problem is to send some sort of audit ID  
along with the claimed identity or other identity attributes.  This  
attribute value would be newly generated for each transaction.   
However, the addition of a second attribute would require an  
attribute exchange protocol, which I think you are trying to avoid.

I believe Shibboleth and other similar systems would just send two  
claims, one that states you are staff, and one that has a valid audit  
id.  I think this demonstrates that protocols based on collections of  
attributes handle these (slightly) more complicated requirements in a  
more direct way.

You might argue that you don't need auditing - and you could be  
right.  Perhaps OpenID with collective IDs is a simple and easy to  
deploy protocol that works for your environment.

Terry

On May 21, 2007, at 21:58 , Peter (pt) Sefton wrote:

> Hi,
>
> I'm new here. I have tried to find an answer to my question via the  
> archive and the rest of the web, but no luck.
>
> Is it reasonable to use OpenId with generic IDs? For example could  
> my employer, a university have a generic ID like http:// 
> openid.myuni.edu.au/staff which would authenticate me as an  
> anonymous staff member? We could then make a federation of  
> universities who all trusted each other staff, maybe to provide WIFI.
>
> For other cases which required the site I am visiting to know who I  
> am, I could use http://openid.myuni.edu.au/staff/my.name.
>
> Maybe I also have a role as a student: http://openid.myuni.edu.au/ 
> student/postgrad.
>
> In this case I would not have to even remember all these URLs - the  
> host site could have a kind of "Where are you from, what role do  
> you have" form, so I would pick my home institution off a list,  
> then say I'm a staff member and I want to remain anonymous, which  
> is enough to generate the id: http://openid.myuni.edu.au/staff
>
> Is this being done already? Is it wrong in some way?
>
> Peter
>
> -- 
>
> Peter Sefton
> Senior Research Fellow / RUBRIC Technical Manager
> RUBRIC Project, DeC
> University of Southern Queensland
> Toowoomba Queensland 4350 AUSTRALIA
>
>
> Work: sefton at usq.edu.au
> Private: pt at ptsefton.com
>
> p: +61 (0)7 4631 1640
> m: +61 (0)410 326 955
>
> RUBRIC Website: http://www.rubric.edu.au
> USQ Website: http://www.usq.edu.au
> Personal Website: http://ptsefton.com
>
> RUBRIC is supported by the Systemic Infrastructure Initiative as  
> part of
> the Commonwealth Government's Backing Australia's Ability - An
> Innovative Action Plan for the Future
> (http://backingaus.innovation.gov.au)
>
> The University of Southern Queensland is a registered provider of
> education with the Australian Government.
>
> (CRICOS Codes: QLD 00244B | NSW 02225M | VIC 02387D | WA 02521C)
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070522/ec202965/attachment-0002.htm>

More information about the general mailing list