[OpenID] One-Click OpenID: A Solution to the NASCAR Problem

[Peter Williams]

If you look at the mozilla work on browerid, its really a short-life cert scheme (in push mode).

 

Yo ucan do quite a bit of their architecture just using what already exists, in pull mode. If you want an RP to mint a cert, all it has to do is resign the one thats inbound from a dis-interested third party (e.g. the govt of the day), and register the (locally resigned) replacement as the mapping onto the local account. Furthermore, several RP can agree to share the re-minted one issued by a particular "primary-RP" who speaks for the "affiliation" of RPs. The extensions in the re-minted cert can have control objectives and value add specific to that industry (that noone else cares about). For example, the reminted cert might NOT have a chaining length control set (allowing the webid folks to build user centric chains of certs spanning linked data graphs.)

 

This is an old model, from the SAML days, when IDPs had less power than they do now to structure the world according to the IDP-centric view. In realty, im insisting on power-sharing, by excluding IDPs that refuse to work with SP affiliations (of user organizations). Im perfectly willing to accomodate IDP fears about cost recovery or their liability, but not their paranoias about what value they bring.