[OpenID] [LIKELY_SPAM]Re: Real Identity Verification

Peter Williams pwilliams at rapattoni.com
Tue Nov 4 12:36:03 UTC 2008 

If one uses the openid gateway from TrustBearer Labs to front Shibboleth, openid assertions would get all the "original accuracy" assurances of the 618.

Now, there are those, and Paul MAY be one of them (as are authors of early NSA documents on user auth for networks), who contend that a relying party must apply  a confidence metric to identity claims. As part of reliance, evaluate the protocol and assertion language, evaluate the signature and certificates (if used), evaluate the trusted bearer like https (if used), evaluate the likelihood of the person citing that attribute on this channel, ....and evaluate the proxying model (at the level of the ordinary consumer)

But, Nate is right. What matters is the accuracy and fidelity of the original attribute (that often comes from the trusted directory or other db). What matters is how the directory administration domains for the different object classes are registering and managing the lifecycle of controlled objects.

So. There is the X.500 DIT/DIB (often accessed by SQL), which is fronted by the ldap protocol machine, which is fronted by the Shibboleth protocol machine, which can be fronted by the openid auth protocol machine

OpenID is different to Shibboleth. OpenID brings the likes of Yahoo and Google assertions to RPs (just like us). I don't WANT to manage the 6 million consumers who come to our website, anymore than I want to manage their email boxes. Let ads (on other people's sites) pay for all that!

My job as an RP is to design/operate the confidence metric, for which we us an expert system with an auto-feedback model tuned to identity in realty apps (offline), that also accepts Cisco IPS realtime feedback. This is where we add some value, in handling (local) "reputation" models for different affiliations of SPs.

From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Nate Klingenstein
Sent: Tuesday, November 04, 2008 4:20 AM
To: Steven Livingstone-Perez
Cc: general at openid.net
Subject: [LIKELY_SPAM]Re: [OpenID] Real Identity Verification

Steven,

They are likely to go with Shibboleth (currently using Athens) at the core because of the higher level of trust and verification as compared to OpenID.

The UK Federation for Access Management is up to 618 members (http://www.ukfederation.org.uk/), and they're working very hard to ensure a consistently good level of practices and trust throughout.  It's truly multilateral and a high level of assurance, and they've done excellent work.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081104/241dddcf/attachment-0002.htm>

More information about the general mailing list