[OpenID] OpenID Providers Invited to Join in an NSTIC Pilot Proposal

John Bradley ve7jtb at ve7jtb.com
Tue Feb 14 18:30:53 UTC 2012 

Peter,

While the social web use case continues to be important to the Foundation and it's members,  that is not the only use case that needs to be addressed.

Before NSTIC came about it was clear to many people that having multiple protocols and identity providers servicing smaller niches is not an ideal situation.

In our redesign of openID we embrace both the important Authorization role of OAuth 2.0 has on the web as well as allowing for a a number of formal security profiles.

This in principal will allow an account at an IdP to be used in applications from social gaming to tax filing.   That is if the IdP chooses to support the more advanced profiles with signing and encryption for privacy.

Users getting more value from accounts will be more interested in securing them with better primary authenticators like smart cards or more likely mobile device secondary factors.

So the message is that OpenID Connect, and Connect providers are not just for low value transactions any more.

There are things like trust frameworks for Identity and Attributes that need to be put into place.  

I am no stranger to the R&E community.  There are people looking at how openID Connect can be added to products like SimpleSAMLphp and others to better integrate with GRID and cloud environments.

I don't think SAML is going to be displaced any time soon (yes as a SAML contributed I play both sides) However it is not currently growing into the Social Web and NSTIC space.  

That is mostly due to vender incompetence in my opinion. 

There will certainly be additional plots and intrigue for you to uncover as this plays out:)

What is safe to say, is that openID is not rolling over and giving up the fight any time soon.

Regards
John B.
On 2012-02-14, at 2:55 PM, Peter Williams wrote:

> 
> what is news to me is that the foundation took upon itself to break free of the somewhat-specious buckets - that openid (the approach) was inherently unassurable (and thus LOA1).A lot of political energy went into characterizing openid - the brand - as only for "that which doesnt matter".
> 
> 
> 
> Remember, consumers dont think in terms of formal technical definitions, or NIST criteria. They think in terms of rough classes of assurance. 
> 
> 
> 
> 1 There is me when being a pill on a blogging site, ranting on a topic I know nothing about after a beer (wishing I hadnt, the next day). There may even be me writing a blog, on something half adult. There is also me payign subscription using a credit card to 100 media outlets.
> 
> 
> 
> 2 there is me doing paperwork when I get a job and do tax deductions (that hurt my pay cheque), or pay the road tax, or get a smog certificate for a vehicle; or licensing my shotgun for use in my extensive backyard. 
> 
> 
> 
> 3 there is me signing and certifying my annual tax form (under penalty of perjury), or registering a baby for a passport; or seeking government benefits (based on elgibility)
> 
> 
> 
> 4 And there is me playing james bond, with instant, tamperpoof satellite communciations, all used to save the planet just in the nick of time.
> 
> 
> 
> The last one has yet to happen for me (and probably wont). The other three are 80:15:5 percent of my arrangements.
> 
> 
> 
> that openid intends - as a brand - to address the 2nd and 3rd categories is what is news (to me) - but remember Im not a foundation member. That there are bits and bytes of "more evolved" security protocols in the works was not (having seen all the same stuff done several times with different bit formats, over the years).
> 
> 
> 
> if it helps, I can tell a story that may align with what the foundation has been doing. It may even mean the story is "resonating" (generally).
> 
> 
> 
> lets week a really good engineer came to be and said: look, we cannot stand any more the fact that the web site farm talks to the web services (and the database) [farms] using trusted accounts. We want the user identity to drive what the (data center) web services does, and limit its access in the backroom. Its just too risky.
> 
> 
> 
> I nearly fell of my seat, at hearing this (having said what we HERE all know is "proper" for years). Previously, the de facto and loud response was: its just not "important" (or economic). Go away, and talk to academics about stuff 15 years down the road.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>  		 	   		  

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20120214/a676211b/attachment.p7s>

More information about the general mailing list