[OpenID] microsoft ACS, openid, WIF STS, and last mile politics

[Peter Williams]

The recent debate on who controls the identifier used by the RP site (the user or the IDP) was very satisfying. For years, I argued ( in vain) that openid got it right originally, with its UCI story. Some of the larger OPs who refuse/d to participate in UCI got it wrong (and still have it wrong). Simply put: let any larger OP control the identifier, strategic business goals will induce it build commercial trust networks of RPs. Much as in the PKI era, these will not be built in the interests of individuals in society. Lose your access as a subscriber at an IDP or lose a rights to a name during a pending dispute, you WILL lose access at your SP sites -since they are tightly bound to the OP.  This is not a viable national infrastructure. Its certainly not a viable trans-national infrastructure.  But, I think the American plan for *a* national (and thus trans-national) infrastructure based on SSO (vs PKI) is a good one - even if starts out (as always in US federal initiatives) with a semi-hidden agenda (military goals, cyberwar, etc). 99% of what is built and that survives 3 years will end up entirely commercially motivated, though - such is the nature of US society. So I decided to support it with some action - re openid.  Its thus not enough to merely adopt openid. The openid adoption has to minimizes dependency on OPs (and their protocols). The user just has to be able to survive a change of OP, with minimal downtime on his/her many RP experiences. At http://yorkporc.wordpress.com/2011/07/07/openid-to-wif-sts/ we see a signed token, built using only commercial-grade services and toolkits - available globally (from Microsoft, as my preferred vendor). It leverages the (my)openid - Microsoft cloud bridge (called ACS), letting one authenticate to myopenid and mint a sequence of tokens. Signed tokens, with PKI optional, can and are further re-issued, embedding within them even yet more tokens for use in what SMLA. Its gateway heaven, with a chain of agents adding (economic) value - as the facts are transormed to more closely match the needs of a particular (legacy) application community. I even mint a token that access a SAML2 gateway (for talking to stick in the muds sites who *only* accept SAML2). Now, the SAML token has a certtain form. Openid claims are mapped into particular SAML fields. I wonder if this group ought to take on responsiblity for formalizing/standardizing the SAML1/SAML2 tokens that "gateway" openid OPs?  		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20110707/bd633e72/attachment.html>