[OpenID] Windows Live ID OpenID CTP Status Update (August 2009)
Peter Williams
pwilliams at rapattoni.com
Sat Aug 29 19:00:26 UTC 2009
Be careful.
If the ides of march put ssl client certs together with FOAF and Lampson's trust chain discovery logic, Ceasar may yet take Rome from Pompey.
Good old fashioned ssl client certs (now with url names) could WELL do to infocards what openid just did to saml2.
I'm very much on the fence with infocarda. And - as always - I'm rather wary of the well-funded lobbys. Its trusted client is an incredible assurance luxury, but therefore has headaches and control issues. We all know client certs; simple, & obvious.
It took over 15+ years to get (server) certs from standard to market. (the patent almost expired on us!) If it takes 10 more to do it for client certs, that are now patent free, so be it. A few million USG users use SSL client certs every day ...for the last 10 years. They are (necessarily) a part of the NSA version of SSL key agreement handshake.
-----Original Message-----
From: openid-general-bounces at lists.openid.net [mailto:openid-general-bounces at lists.openid.net] On Behalf Of John Bradley
Sent: Saturday, August 29, 2009 11:44 AM
To: Story Henry
Cc: openid-general at lists.openid.net
Subject: Re: [OpenID] Windows Live ID OpenID CTP Status Update (August 2009)
Using SSL client auth seemed like a good idea to me 10 years ago.
Combining it with FOAF is interesting.
I suspect that getting people at large to configure client certs is
unlikely.
That was one of the things that lead to the development of Information
cards.
It is worth considering amongst the options. However I personally
gave up on that approach a good while ago.
John B.
On 29-Aug-09, at 2:27 PM, Story Henry wrote:
> If you want one click authentication that works with most current
> browsers, that does not require a username, nor a password, and
> where the browser offers the user a popup to select his idenity then
> have a look at foaf+ssl.
>
> http://esw.w3.org/topic/foaf+ssl
>
> An example implementation is http://foaf.me/
> which will create a certificate for you in Firefox, Safari and Opera
> after you created your foaf file. (We could get IE to work too but
> it requires a bit of ActiveX (no download required) hacking.
>
> Henry
>
> On 29 Aug 2009, at 20:21, John Bradley wrote:
>
>> I have never thought that training users to give out there email
>> address to whoever asks for it is a good idea.
>>
>> I understand the attraction of using email address as it is the
>> identifier that requires the least explanation.
>>
>> Would having someone enter there email or identity provider be too
>> confusing for people.
>>
>> I always thought your me.yahoo.com was a good model.
>>
>> Where we are going to hit serious problems first is with services
>> like openID for google domains, and OPX now from JainRain.
>>
>> The current NASCAR doesn't have enough space for thousands of OPs.
>>
>> One approach is to come up with a way for users to advertise to RP
>> who there preferred providers are.
>> That way the RP can customize the UI more appropriately for the user.
>>
>> One approach would be a browser plugin that injects java script
>> into the page.
>>
>> Another would be to have a centralized discovery service, that a RP
>> could query via JS in the browser.
>> OP's would register themselves with the service.
>>
>> The latter certainly has privacy issues.
>>
>> John B.
>> On 29-Aug-09, at 12:42 PM, Allen Tom wrote:
>>
>>> How about if we ditch the OP buttons and just display this:
>>>
>>> Enter your email address or Profile URL: [...................]
>>>
>>> Allen
>>>
>>>
>>> John Bradley wrote:
>>>>
>>>>
>>>> A better UI is needed however.
>>>>
>>>
>>
>> _______________________________________________
>> general mailing list
>> general at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-general
>
_______________________________________________
general mailing list
general at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
More information about the general
mailing list