[OpenID] openid 2.1 and geneva - XRI?

Mon May 18 01:43:15 UTC 2009

In general, OpenID could be used to authenticate a user to an STS. There's nothing in the claims-based identity world that precludes this, since an STS can do pretty much anything it likes to authenticate users. Still, I think OpenID gets too much attention. It was designed to provide authentication for low-value situations, e.g., blog comments, and so it's just not a terrific choice for more serious scenarios.

#<http://www.davidchappell.com/blog/2008/11/introducing-geneva.html?showComment=1230521760000#c5816782835665723017> posted by [http://www.blogger.com/img/b16-rounded.gif]  David Chappell<http://www.blogger.com/profile/05084689775809488566> : December 28, 2008 7:36 PM

I hear the above all the time. its perpetuated by the US/UK academic samlistas, in particular.

Folks do keep shooting themselves in the foot tho, over SSL, trust models, crypto, to be fair to Chappell.

When it comes to fundamental terminology clashes, lets never forget that the term "claim" in microsoft (Geneva)speak does not mean attribute and value, a la AX.It means the value plus the transferable permissions that the RP must enforce (perhaps once transformed by the receiving STYS into the local permission algebra, e.g. the java permission classes). So for email=peter, there is attached for saml/openid audience/realm=rapattoni.com the permissions matrix { {read, ou=ou1, ou2, ou3} write {ou=ou1,ou4} ... }.

To be fair again to Microsoft, these notions simply dont exist in openid standards. They can easily exist in openid extensions, of course, for those communities that are anti-XML and anti-SOAP.

________________________________
From: Chris Messina [chris.messina at gmail.com]
Sent: Sunday, May 17, 2009 3:06 PM
To: Peter Williams
Cc: general at openid.net; Drummond Reed; Anand Iyer, GNoTE - Global Network of Technology Evangelists; laurencooney at gmail.com
Subject: Re: [OpenID] openid 2.1 and geneva - XRI?

Thanks Peter. Clearly even within the OpenID community, language can be a challenge.

On Sun, May 17, 2009 at 12:46 PM, Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>> wrote:
I was hoping to see openid "at least mentioned" in the latest work from microsoft on its core identity management platform. Bit disappointed that it's not. Id have expected at least a v0 effort, to showcase that the architecture can gateway openid messages, as well as it gateways all the other largely-equivalent protocols.

I agree. I don't know if Mike Jones or anyone else with Micrsoft wants to comment, but looking over the Geneva project site [1] and the "End to End Trust" microsite [2], I'm dismayed (though not surprised) at the lack of acknowledgement of OpenID. I mean, given MSFT's involvement in the OIDF, I would be curious if they have some kind of roadmap for integrating OpenID, or if they're relegating it to certain limited applications for community cred only.

Consider this video (wmv only, sorry):

http://tr.im/geneva_wmv

I think the use cases that are presented are very compelling [3], but seem to require existing within a completely Microsoft stack.

While some elements within MSFT are moving in a positive direction [4], I'm confused by the seemingly schizophrenic approach with Cardspace and OpenID. What's the dilly? Are they committed or not? And, furthermore, what needs to happen with OpenID so that it becomes more of a cornerstone technology with their security offerings (like Forefront [5])?

Chris

[1] http://www.microsoft.com/forefront/geneva/en/us/
[2] http://www.microsoft.com/mscorp/twc/endtoendtrust/
[3] http://news.cnet.com/8301-1009_3-10223686-83.html
[4] http://cooney.typepad.com/lauren_cooneys_blog/2009/05/fighting-the-good-fight-for-the-community-and-how-you-can-help.html
[5] http://www.microsoft.com/forefront/en/us/default.aspx

--
Chris Messina
Open Web Advocate

factoryjoe.com<http://factoryjoe.com> // diso-project.org<http://diso-project.org> // openid.net<http://openid.net>
This email is:   [ ] bloggable    [X] ask first   [ ] private