[OpenID] differentiating users

Thu May 22 08:02:05 UTC 2008

Hi Nate - thanks for that. I will look into this. I also agree with you on
URL's for attributes - like in OWL/RDF.

I do remember all the attributes of LDAP that I don't think anyone ever
used! I think the whole idea of distributed discoverable and sharable
attributes is a different but very useful area. Be interesting if anyone is
looking into an online library to find this kind of stuff for OpenID? We
don't need 50 versions of "Role" or "FavouriteBook". If no one has such a
library yet I may do something on it.

I haven't used the extended attributes in OpenID 2 much yet so if you have
some useful pointers it would be much appreciated. But I'm checking out just
now anyway.

thanks again,

Steven

http://weblivz.openid.org

From: Nate Klingenstein [mailto:ndk at internet2.edu] 
Sent: 21 May 2008 23:59
To: Steven Livingstone-Perez
Cc: general at openid.net
Subject: Re: [OpenID] differentiating users

Steven,

Federated identity is full of network effects.  This is one of them.  The
more people that understand an attribute you're using, the more powerful it
is.  On the other hand, many applications and communities have attributes
that carry nuances not shared with the rest of the world, so they can't
recycle an existing attribute.  We have eduPersonEntitlement for precisely
this use case, and you're welcome to look at it, but it's probably outside
your domain.

I like URL's for attribute names because they could be easily resolved to
acquire more information about the attribute someday.  OpenID's AX supports
that well already.

Deciding which attribute to use, what to name it, and whether to recycle is
an art and not a science, though.  Sometimes it's more effective to keep
fine-grained attributes and permissions at the service, as well.  Some
things aren't meant to be centralized.  Look at the successful and failed
attributes the LDAP/X.500 world ended up with for some good examples on
where to draw the line.  Perhaps in your case:

openid.ax.type.(applicationName)Role=http://yourdomain.org/applicationName/R
ole

openid.ax.value.(applicationNameRole)=private

Have fun in the colorful world of attributes,

Nate.

On 21 May 2008, at 19:58, Steven Livingstone-Perez wrote:

I had considered that some attribute "role" with a value
yourdomain.org/private and yourdomain.org/public could be universally
understood (due to the namespace uniqueness). Even without the namespace
this could be useful!

Has anyone got more info on how that have , or perhaps intend to accomplish
this?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080522/d5ae1e41/attachment-0002.htm>