[OpenID] FW: ProtectNetwork ID Activation Successful!

Sun Apr 6 14:21:55 UTC 2008

Peter,

> As of this month, at least 1 US university that could not do WebSSO  
> with Google Apps now can (I hope this is true! ... via Shibboleth2  
> software). This month, at least 1 OP that didn't publicly do  
> SAML2... now does, motivated also by the desire to let its  
> outsourcing customers also talk to Google Apps. The way Google did  
> their websso nicely promotes IDP outsourcing, with trivial setup.  
> This will align nicely with AX, which clearly promotes similar  
> outsourcing notions. The move is on!  Infrastructure vendors who  
> promote WebSSO silos, are out!

It certainly is true of multiple universities -- USC most prominently  
-- and Google's support for federated identity standards is great.   
We're also thrilled about Microsoft DreamSpark and its Shibboleth- 
based validation mechanism.  Students aren't interested in even  
having a .edu email address today, so federated identity was the  
obvious solution to the problem.

These are very large, prominent applications, though.  There are many  
other ones that are equally important but forgotten.  About a year  
ago I worked with some folks from Max Planck who were trying to set  
up federated identity for a distributed system for recording  
information about rare languages.  It was clear that the tools of the  
time were too heavy and complex for their needs.  On the other side  
of the spectrum, NIH is exploring federated identity and they need  
stronger authentication and identity-proofing than most campuses can  
supply today.

We have a lot of work to do in both directions to support most services.

> On using theTestShib to make a trial of the Shib2 SP provider for  
> IIS7, the problem is surely also me and my technical limits: Im  
> really struggling to generate an flow against the TestShib2 IDP.  
> But, the scenario is forcing me to learn new tools and new  
> management systems, just as deploying JanRain's .NET OpenID  
> consumer forces one to first learn all about Mono, Boo, and xvm  
> webserver for Win32.

After you set your clock correctly, it looks from the IdP side like  
things are okay.  Is there another problem you're encountering that I  
could help with?

> OpenIDs main contribution is clearly yet to come. It will lie in  
> the trust model area, not the current binding of name/value pairs  
> onto http redirects.

I absolutely agree.  A few co-authors and I wrote a little article  
for IEEE exploring ways to make SAML handle a more distributed trust  
model.  The reconciliation of identity asserted by users and their  
trusted webs of friends versus the traditional proofing techniques  
required by organizations is fertile ground, and I would love to see  
the OpenID community pioneer this.  It's perfectly situated for this  
crucial work.

http://www.computer.org/portal/site/security/menuitem. 
6f7b2414551cb84651286b108bcd45f3/index.jsp? 
&pName=security_level1_article&TheCat=1001&path=security/2008/ 
n2&file=bsi.xml&

Take care,
Nate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080406/053fc0ee/attachment-0002.htm>