[OpenID] Real Identity Verification

Tue Nov 4 12:43:07 UTC 2008

Thanks Nate. I didn't realize there was a Information Card foundation too.

Slight aside, but is there an "Identity Foundation"? A group of people and
resources from each of these projects that as consumers we could follow
easier? Would be nice if there was a advantages/disadvantages, libraries,
suggested architecture and so on to help decision makers (not just business,
but technical level).

You see my point to them was that Shibboleth will be useful for users under
their control and their core applications, but OpenID would be very good for
their public forums, discussions and so on - things that are to be more
fluid. I would love to point them at a "proven/suggested architecture"
diagram rather than creating my own.

steven

http://livz.org

From: Nate Klingenstein [mailto:ndk at internet2.edu] 
Sent: 04 November 2008 12:20
To: Steven Livingstone-Perez
Cc: 'Rebecca Cannon'; general at openid.net
Subject: Re: [OpenID] Real Identity Verification

Steven,

They are likely to go with Shibboleth (currently using Athens) at the core
because of the higher level of trust and verification as compared to OpenID.

The UK Federation for Access Management is up to 618 members
(http://www.ukfederation.org.uk/), and they're working very hard to ensure a
consistently good level of practices and trust throughout.  It's truly
multilateral and a high level of assurance, and they've done excellent work.

I argued that to the public user OpenID is much easier to attain and run
with - especially with Google. Microsoft, Yahoo etc now supporting it.

This is no doubt true, but I think that Yahoo, Microsoft, and Google offer a
very different level of trust and verification with their email accounts.
They've got a business to run.

There was also the argument that you can protect resources directly using
Shibboleth. Now maybe someone working on this can correct me, but my guess
is that if you can't already, you will soon be able to map an OpenID to a
token (say a SID in windows) and you'll protect resources using the common
operating system rather than a brand new way of protecting resources. True?

Shibboleth's SP design is more at work here than anything protocol-related
here.  The SP is built to protect resources and paths directly, like a
filter, with very little to no modification of or integration into the
application.  As far as integration with the operating system goes, if
CardSpace rises from the grave -- four days too late for that metaphor to be
good -- then we'll all be in good shape regardless.  Microsoft's new Geneva
identity suite will probably offer a lot of integration, with all the good
and "aaaargh" that comes with that.

http://www.theregister.co.uk/2008/10/30/microsoft_generva_hailstorm/

I'd like to remind people to focus a little less on protocols we use and a
little more on trust structures.  OpenID as a protocol couldn't support
these trust structures today, partially by design; that could change in the
future as the set of deployers changes.  Today, Shibboleth is, in my
incredibly biased opinion, a fine choice for your application that requires
trusted identity from known sources and privacy for your users.

Thanks for the interesting anecdote,

Nate.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081104/bacb8e21/attachment-0002.htm>