[OpenID] Too many providers... and here's one reason

Eric Sachs esachs at google.com
Tue Sep 16 18:11:27 UTC 2008 

In the OAuth space there are a bunch of companies/projects doing something
that they term differently, but which sounds very similar to your use case.

An OAuth "aggregator" wants to pull together assertions about a particular
user (call him Tom)  from multiple 3rd parties, and then allow Tom to share
those assertions with other users of the aggregator site, or share them to
other 3rd party sites.  The most well known examples are activity streams in
OpenSocial, and personal health record stores like MS HealthVault & Google
Health.

Some examples of assertions includes things like "Stanford says this user
graduated with a Comp Sci degree from Stanford," or "World of Warcraft
says this user's warrior on World of Warcraft is level 33," or "LabQuest
says this user had lab test X with result Y."

In most of these scenarios, we are seeing that the downstream readers of an
assertion are willing to trust the aggregator to specify the identity of the
original asserter.  That is not as cryptographically strong as the original
source signing their assertion, however as people noted in this thread, it
is certainly possible to add that feature.  Though in some specialized cases
the digital signatures can leak privacy details, and avoiding that requires
even more advanced crypto techniques.

If you want to learn more, there are some comments about this type of
assertion "gathering" in the following two documents about how OAuth is
used, however they are targeted more at product managers/marketing types,
and don't focus much on the technical details.

https://sites.google.com/site/oauthgoog/oauth-practices

https://sites.google.com/site/oauthgoog/oauth-practices/user-interface

Eric SachsProduct Manager, Google Security

On Tue, Sep 16, 2008 at 8:23 AM, SitG Admin <sysadmin at shadowsinthegarden.com
> wrote:

> >Basically, I'd use my preferred OP and request the organization to
> >provide a signed attribute of my membership in org XYZ.
>
> Interesting thought - signed by the organization? Perhaps an
> assertion of membership AND "here's what your organization gave us to
> remind them that you are a member", so the organization can recognize
> revoked membership signatures?
>
> >Of course, there will have to be a "trust relationship" between org XYZ
> >and my preferred OP, but I don't see that trust as any deeper than the
> >"trust relationship" between and RP and an OP.
>
> If there were only a single OP in the world, it would even be the
> *same* trust relationship, and with one OP handling authentication
> for several organizations; just as one OP can handle authentication
> for more than a single organization now.
>
> But perhaps starting out as the OP for a small organization, at
> first, can be an opportunity for new developers to both assure
> themselves of OpenID's security and find gainful employment in
> connection to business startups?
>
> -Shade
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080916/796e90f6/attachment-0002.htm>

More information about the general mailing list