[OpenID] user centric delegation vs portability: LRDD : competing threats: the consumer's fear hypothesis

Manger, James H James.H.Manger at team.telstra.com
Mon Oct 26 23:28:44 UTC 2009 

Dirk,



I don’t think your IBM example is a very convincing argument for host-meta to take precedence over an actual OpenID URI. Listing an OP in host-meta may be a bit easier for an IBM IT admin than preventing links to OPs from other URIs — but the latter is quite feasible (rules in the page editing tool; filter in web server; validator on page changes; background script to look in the file system for this specific situation…). Even a non-technical corporate policy saying staff must not specify another OP goes some way to meeting the objective.



It is probably more convenient for host-meta to be able to provide a default OP, which can be overwritten for some special URIs. Most OpenID URIs on a host don’t specify an OP so they fallback to host-meta, but a few can use a different OP (for non-humans, for contractors, for testing, for migrating to a new OP implementation, for staff with a different hardware login token…).





James Manger
James.H.Manger at team.telstra.com<mailto:James.H.Manger at team.telstra.com>
Identity and security team — Chief Technology Office — Telstra



From: openid-general-bounces at lists.openid.net [mailto:openid-general-bounces at lists.openid.net] On Behalf Of Dirk Balfanz
Sent: Tuesday, 27 October 2009 7:51 AM
To: Peter Williams
Cc: general at openid.net
Subject: Re: [OpenID] user centric delegation vs portability: LRDD : competing threats: the consumer's fear hypothesis



…If you have your own domain, you can pick (and change) your identity provider. But if you're one of 300,000 IBM employees, there are certain things you can't pick about your work account - you can't pick your email provider, you can't pick your calendaring software, and you can't presumably pick your identity provider - professionals at IBM who get paid to worry about this stuff will pick one for you that they are reasonably sure will not, say, put into jeopardy the 401k accounts of the combined IBM workforce (because, hypothetically speaking, IBM uses OpenID to log their employees into fidelity.com<http://fidelity.com>).



We need a single sign-on solution for the Web that works both for Blogger/Facebook/consumer use case as well as the IBM use case.


Dirk.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091027/d79c9294/attachment-0001.htm>

More information about the general mailing list