[OpenID] Verisign Announces Free OpenID Digital Lockbox

Christopher Staite C.Staite at cs.bham.ac.uk
Wed Feb 25 14:18:29 UTC 2009 

Hi,

I'm currently working with Vodafone and The University of Birmingham
towards creating a middleware which manages automatic distribution of
data between services while maintaining user preferences towards
privacy.  The distribution of data is obviously an important part of
this and therefore reading this message sparked me to reply.

I have been told and hence been reading up on the Higgins Project
(http://www.eclipse.org/higgins/) which uses i-Cards in order to store
user information.  This works on a context-based system and provides
chunks of information, but it does allow for data to be passed between
services.  It seems that it is similar to AX but a little more refined.
 I don't know if this would at all help if we were to use some of the
ideas implemented within the Higgins Project as it is also Open Source
but has been developed for a long time (2003 start I believe).

Duplicating effort is not what I like to do, therefore if there is going
to be some community work on creating a system of AX which uses the OP
to determine where to get the profile data from this would very much
interest me.  If anyone is already aware of such work being carried out
it would also be very useful to know.

Thanks, Chris.

> Date: Sun, 22 Feb 2009 18:44:55 -0800
> From: Martin Atkins <mart at degeneration.co.uk>
> Subject: Re: [OpenID] Verisign Announces Free OpenID Digital Lockbox
> To: OpenID List <general at openid.net>
> Message-ID: <49A20DA7.1000303 at degeneration.co.uk>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> 
> Allen Tom wrote:
>> Martin Atkins wrote:
>>> We need a way to do hybrid when the OP and the SP are not the same 
>>> party, and ideally we need it sooner rather than later.
>  >
>> This is pretty tricky, because the solution would probably imply that 
>> the OP is able to generate OAuth credentials for the SP. Presumably both 
>> the SP and the OP would need to agree on how to provision and verify 
>> consumer keys (and consumer secrets) and somehow the user would need a 
>> way to revoke an OAuth credential after it's been issued.
> 
> Yes, the initial thought I had was essentially some mechanism whereby 
> the SP grants the OP the right to be a proxy for OAuth transactions.
> 
> So I would tell my OP that I have my contacts hosted on Google (for 
> example) and it would talk to Google in some way to be determined in 
> order to get permission to act as an authorization proxy for my 
> contacts. I could later revoke this if I decide to change my OP, or 
> change the setting at my OP if I decide to change my contacts provider, 
> but neither is inextricably tied to the other.
> 
> Of course, this is only an initial strawman and definitely needs both 
> protocol and UX work to figure out what it would look like in practice.
> 

-- 

=============================================
Christopher Staite     C.Staite at cs.bham.ac.uk
Research Student                0121 414 8003

Room 118
School of Computer Science
University of Birmingham
=============================================

More information about the general mailing list