[OpenID] [LIKELY_SPAM]Re: Google OpenID IDP is now live
Peter Williams
pwilliams at rapattoni.com
Wed Oct 29 17:47:32 UTC 2008
I don't worry about "federated identity" moniker. There is in reality very little difference between basic SAML and openid2 (except that openid2 is much more modern in its praxis of metadata). Plaxo essentially do federated identity... mapping n openids onto 1 local account, which works fine with directed identity also at the IDP.
Nothing about OpenID REQUIRES an IDP to trust any RP, or vice versa. It promotes that idea...but no where does any conformance requirements enforce it.
For testing, limiting RPs seems fine (when you have a high profile like a Google).Time will tell i...and we will see if it's a foil for an intended business practice to impose "legal" reliance limits, tho.
The web is a powerful force. In 1994 there were 4 CAs, with excellent security model, with full academic pedigree. In 1996 it had all fallen away, so anyone could be a CA. Of course, quality went down...somewhat, requiring compensating controls in the wells fargo (and later the visa) backend. Banks loved it... since their processing networks became the TTP (switching network) - retaining the value point, and combating such as internet payment schemes whose micro-currency schemes were going to eliminate VISA. Etc.
If you don't whine, a lot, the US firms WILL impose reliance limits, much as the Japanese firms will fail to interwork in practice with peers/subs outside their capital/trading groups.
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Andrew Arnott
Sent: Wednesday, October 29, 2008 10:31 AM
To: Eric Sachs
Cc: Joseph Smarr; OpenID List
Subject: [LIKELY_SPAM]Re: [OpenID] Google OpenID IDP is now live
Forgive my apparent ignorance, but this doesn't look like a standard OpenID Provider. I just tried to log into my own RP typing in "google.com<http://google.com>" to use directed identity, since I have no idea what my own identifier URL would be, and no endpoints were found. Also tried "gmail.com<http://gmail.com>".
When I read the blog, it mentioned OpenID but the link was to register for federated login. I thought Shibboleth was about federated login and OpenID was about letting any RP log into an IDP. Why does an RP have to register with Google before using its IDP? And even if it registered, that can't automatically make "google.com<http://google.com>" discoverable, so this doesn't feel like OpenID at all to me.
Unhappy, but hoping someone can explain it to me.
On Wed, Oct 29, 2008 at 9:02 AM, Eric Sachs <esachs at google.com<mailto:esachs at google.com>> wrote:
Google's IDP is now live. You can try it on Plaxo, ZoHo, & Buxfer and hopefully more RPs to come soon. Here is the blog post with more details, including information on how RPs can sign up to use the service:
http://google-code-updates.blogspot.com/2008/10/google-moves-towards-single-sign-on.html
And yes, it does allow RPs to request a user's E-mail address via AX as an option. I'll let Joseph Smarr from Plaxo respond with details on how they are using that feature to further simplify the signup flow for Plaxo.
Eric Sachs
Product Manager, Google Security
_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net>
http://openid.net/mailman/listinfo/general
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081029/87798087/attachment-0002.htm>
More information about the general
mailing list