[OpenID] Real Identity Verification

Nate Klingenstein ndk at internet2.edu
Tue Nov 4 12:20:23 UTC 2008 

Steven,

> They are likely to go with Shibboleth (currently using Athens) at  
> the core because of the higher level of trust and verification as  
> compared to OpenID.

The UK Federation for Access Management is up to 618 members (http:// 
www.ukfederation.org.uk/), and they're working very hard to ensure a  
consistently good level of practices and trust throughout.  It's  
truly multilateral and a high level of assurance, and they've done  
excellent work.

> I argued that to the public user OpenID is much easier to attain  
> and run with – especially with Google. Microsoft, Yahoo etc now  
> supporting it.

This is no doubt true, but I think that Yahoo, Microsoft, and Google  
offer a very different level of trust and verification with their  
email accounts.  They've got a business to run.

> There was also the argument that you can protect resources directly  
> using Shibboleth. Now maybe someone working on this can correct me,  
> but my guess is that if you can’t already, you will soon be able to  
> map an OpenID to a token (say a SID in windows) and you’ll protect  
> resources using the common operating system rather than a brand new  
> way of protecting resources. True?

Shibboleth's SP design is more at work here than anything protocol- 
related here.  The SP is built to protect resources and paths  
directly, like a filter, with very little to no modification of or  
integration into the application.  As far as integration with the  
operating system goes, if CardSpace rises from the grave -- four days  
too late for that metaphor to be good -- then we'll all be in good  
shape regardless.  Microsoft's new Geneva identity suite will  
probably offer a lot of integration, with all the good and "aaaargh"  
that comes with that.

http://www.theregister.co.uk/2008/10/30/microsoft_generva_hailstorm/

I'd like to remind people to focus a little less on protocols we use  
and a little more on trust structures.  OpenID as a protocol couldn't  
support these trust structures today, partially by design; that could  
change in the future as the set of deployers changes.  Today,  
Shibboleth is, in my incredibly biased opinion, a fine choice for  
your application that requires trusted identity from known sources  
and privacy for your users.

Thanks for the interesting anecdote,
Nate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081104/e5d5ab6b/attachment-0002.htm>

More information about the general mailing list