[OpenID] One-Click OpenID: A Solution to the NASCAR Problem

[Peter Williams]

I read the post.

 

If the metric or program acceptance were: how are several latent technologies linked together to solve a problem that is "just holding back" the floodwall of adoption, (vs., can I have some cash for my idea, like one might make an investor in your startup), one might well tie a couple of projects together.

 

Since you are having the IDP issue a client cert to the SSL module of a browser, let's remark that said cert is essentially a cookie (in function). Its not an ID cert, issued by a CA, and its not tied to any type of smartcard. Lets call it a IDP's session-cert. As the webid project has shown, in can contain in the URI name field a pointer to HTML5-marked up file, listing the users XYZ service access points. Of course, this should sound like openid1 (where the metadata tags in the users own XRD on his/her blogsite played the role, formally). These days, it can be a blog post body itself, rather than meta links in a hard-to-edit HTML header or XRD (XML) file. The links simply point to the OP endpoint.

 

Nothing "new" in that idea, except that a couple of more relevant technologies were hooked up, with a custom SSL cert used as some glueware. Nothing stops a CA's cert also being used directly wit hthe IDP or the RP, in multiple browsers (tied one day to a national-id smartcard, or mobile phone SIM card, or NF device... ).

 

3 things are different - and not just the same old war horse arguments, repeated over and over and over again. There are different types of certs, and IDPs can issue them too (for "management/discovery purposes"). Said certs have an nice auto presentation, due to SSL sessionid mechanisms, being optionally consumed by requesting sites. They also have nice consent mechanisms (on first time release). They can have URIs in them, that solve the type-here problem. The URI can these days be pointing to the bodies of files/posts, that even I can edit. Various technologies are available for markup, in the era of HTML5 semantic markup going "consumer".

 

this is what Id expect to hear in the rationale for why I want funding. I would not expect to here about how to solve the nascar problem (thats not the reason I fund stuff, though other agencies might on such criteria). I want to hear how rich is the US national infrastructure, so lots gets solved. Id perhaps want to here that the SSL proxy mode of the corporate firewall might be handling this class of client certs and the https client authn, too (rather than the browser itself).

 

This is just my guess of what they want to hear (not that I know...). The art of winning funds to know the mindset of the program manager. Not to do so is the commonest cause of grant application failures.