[OpenID] Community Reputation Services

Nate Klingenstein ndk at internet2.edu
Thu May 22 20:09:10 UTC 2008 

Dick,

> There is OpenID, the set of protocols, and an OpenID, and identifier.
>
> Is an OpenID identifier appropriate for your use cases? I don't  
> think so.

I'm torn on my answer here, to be honest.  We've tried for a very  
long time to split authentication from authorization: anyone could be  
given any identifier and it makes not a whit of difference, because  
it doesn't necessarily grant any access or authorizations.  So, in  
principal, I totally agree with you.  I'd love this to be the case  
because we could enhance identifiers and identities from other IdP's/ 
OP's with our own information, resulting in all kinds of good things  
for users.

In practice, this stance is often futile, just because applications  
don't generally work that way(and proxying securely is really, really  
hard).  Drives me nuts.

Anyway, I don't see anything wrong with obtaining an OpenID  
identifier in our use cases.  It just isn't itself meaningful for  
these apps without the OP being trusted, and often trusted in a  
specific way.  The same is true of any attributes sent too.  It's all  
down to the RP to decide if it cares or not; I don't see an  
identifier itself as materially different from any other information  
about the user on this basis, and I think it could be used as a  
user's primary key just fine for apps that need that.

> BUT, you could use the protocols to request and receive a claim  
> from a trusted source saying something about the user. We (Sxip)  
> demoed some code to do that, but to date, the OpenID community has  
> been focussed on other requirements.

Exactly.

> Which OP is managing an Identifier at a particular point in time  
> should be irrelevant to the RP.

I'd disagree with that on the premises that an OP can generally spoof  
an identifier it manages at any point in time merely by impersonating  
the user and skipping authentication.  Is that not the case?

> Let me know if this is resonating or not!

Mostly, and I really appreciate the conversation.
Nate.

More information about the general mailing list