[OpenID] FW: ProtectNetwork ID Activation Successful!

Peter Williams pwilliams at rapattoni.com
Sun Apr 6 08:03:30 UTC 2008 

One step at a time, Nate: focusing on connecting real folk to real services. Most of the barriers are now political.

As of this month, at least 1 US university that could not do WebSSO with Google Apps now can (I hope this is true! ... via Shibboleth2 software). This month, at least 1 OP that didn't publicly do SAML2... now does, motivated also by the desire to let its outsourcing customers also talk to Google Apps. The way Google did their websso nicely promotes IDP outsourcing, with trivial setup. This will align nicely with AX, which clearly promotes similar outsourcing notions. The move is on!  Infrastructure vendors who promote WebSSO silos, are out!

I'm even hoping that by personally experimenting with an installation Windows 2008 Enterprise, I may finally be able to even finally do a first gatewaying trial from our multiprotocol WebSSO portal to ADFS and thus to our major deployments in MSFT backroom applications, using WS-federation passive. Because of a move in US realty to also adopt webservices this year for our data servers in addition to traditional http RDF-like data services, this will be a good stepping stone into the world of WS-Federation Active and WS-Trust. As someone trained in the upper layers of the OSI networking protocol stack, I feel very at home in the WS* suite. If WS* realizes ECMA remote operations, XRI realizes X.500, SAML2 provides the X.400 secure messaging model, and Federation bindings brings security policy rekeying as one crosses security domains with messages and remote operations, we will shortly be back to where we were in the research communities of 1994 - this time with mainline OS support, at commodity prices. 

------------------

If you have any influence on ProtectNetworks, perhaps get them to go to the interoperabilityFest going on in San Francisco in the coming week. If they cannot join in person, perhaps join by video? Someone will have MSFT's SharedView or a VNC feed, Im sure. Note, that I could not personally make their openid server work, testing against plaxo.com. But... my technical limits are legendary!

On using theTestShib to make a trial of the Shib2 SP provider for IIS7, the problem is surely also me and my technical limits: Im really struggling to generate an flow against the TestShib2 IDP. But, the scenario is forcing me to learn new tools and new management systems, just as deploying JanRain's .NET OpenID consumer forces one to first learn all about Mono, Boo, and xvm webserver for Win32. Bridging all these artificial silos of tools, protocols and VMs is all incredibly painful, though. But, the final result to the end-user is worth it, as you indicate. We know US persons WILL pay upwards of about 60c a month for the websso technology that eliminates passwords, and another 60c for the customer support that goes along with strong auth techniques (vidoop, SecurID, VIP and PIV, etc, etc)

------------

Its an interesting time, as even someone at Peter's pretty low level of networking skill can now build out websso networks for mom and pop shop consumers. I think most of the barriers are now entirely about politics and money - not technology.  Only a few months ago, I asked my SAML2 vendor how we might enable that our many users might realize their desire to talk to plaxo (using perhaps....an openid plug-in into the federation server talking to plaxo's openid endpoint?). The answer was: Dont! Use Plaxo's secret SAML2 endpoint. Well, I never found it - and the vendor's OpenID support was lacking. So here we are back to using 1980s message switching techniques from our SAML2 endpoint  to Plaxo's Openid2 endpoint. 

The moral of the story for me is perhaps, that it all this bridging has made me understand clearly how account linking does bridge the silos, and can bridge any and all political/national barriers that get erected. I did also finally :get: the "bigger story" of openID and federation : the use of backwards-account-linking and backwards reasoning in fully inverted data models to facilitate feedback-based trust models that relying parties control. I really do now believe that a concerted "co-resident convergence" between OpenID.next and SAML2 would do for web3 what the https trust model did for web1. OpenIDs main contribution is clearly yet to come. It will lie in the trust model area, not the current binding of name/value pairs onto http redirects.



From: Nate Klingenstein
Sent: Sat 4/5/2008 11:34 AM
To: Peter Williams
Cc: general at openid.net
Subject: Re: [OpenID] FW: ProtectNetwork ID Activation Successful!


Peter, 


This is nothing new, and nothing "forced".  ProtectNetwork has been offering support for both protocols for at least a year, and they've been one of the registrars for TestShib since its inception, for which we're grateful.  I hope TestShib's been a useful facility for you and you've had a good experience with Shibboleth so far.


I've always viewed any animosity perceived between these communities as, frankly, destructive and foolish.  Protocols are just protocols, tokens are just tokens, and it's possible to do most of the same things using both these and other long-forgotten options, like the Liberty Alliance ID-* and ADFS.  Different deployment styles and operations are more difficult or more open or more secure or more simple with different protocols, but at the end of the day, it's all just flavor.  I believe all identity providers should follow ProtectNetwork's lead and support every protocol possible.


On the other hand, there is an interesting discussion about trust models and attributes that we could be having instead.  I know OpenID is encountering a much more enterprise world right now.  This transition is causing angst and even some accusations, with anger over white-lists, black-lists, and the buttons being used for session initiation by some major identity providers.  We've always focused on large-scale deployments, especially through federations, and maybe some of our practical experience would be useful.


Federated identity infrastructure for applications is our common goal.  It's not glamorous.  It's plumbing.  We should all tone down the rhetoric so we can better focus on collaborating towards this as much as possible.  Our true foe is the "Remember this password?" button in your browser, and right now, it's winning.


Take care,
Nate.


On 5 Apr 2008, at 17:59, Peter Williams wrote:


Convergence is happening nicely. I think OpenID has been the forcing function!

The note below was a very pleasant surprise to me, as Id assume'd largely OpenID deniall (if not restrained hostility) from all the US contingent of the Shibboleth community. But to the contrary: the very provider facilitating signup to the test-Shib process verly prominent promotes OpenID. This has to be significantly raising the profile of OpenID in the academic SAML world.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080406/8325780a/attachment-0002.htm>

More information about the general mailing list