[OpenID] One-Click OpenID: A Solution to the NASCAR Problem
Melvin Carvalho
melvincarvalho at gmail.com
Fri Feb 17 13:54:05 UTC 2012
On 16 February 2012 23:02, John Bradley <ve7jtb at ve7jtb.com> wrote:
> At some future point there may be many IdP with rich attributes and API that RP are willing to take.
>
> Probably they need to have some sort of trust framework or central management to track that information.
>
> I agree that RP preference needs to be fed into the mix, though doing that without leaking PII to a potential RP is an issue.
>
> With Account chooser while it asks for a email address the IdP doesn't need to be an email provider. Only the domain name is used to perform discovery at this time.
>
> It is a mistake for the RP to treat the user input string as being validated in any way.
>
> The reason for asking for an email address is that people tend to understand the question, and if the domain doesn't have a SSO service the email can be used to bootstrap the local account creation process.
>
> If we can come up with another identifier type/decryption that is understandable to users that could be used as well.
>
> I think account chooser is the path most likely to succeed. It also has the advantage of being protocol agnostic.
> It could work with openid 2, openID Connect, SAML or other protocols if the RP supports them.
>
> It also allows the IDP flexibility on the primary authenticator. Custom soft certs, smart cards, phones, or other methods can be used.
I've been thinking about trust for many years.
We have centralized trust assertions from people like verisign and
other CAs. Perhaps the OIDF is going to get into centralized
whitelisting too.
A more interesting approach is the decentralize architecture. Note:
there's a difference between centralization and specialization.
The paper I like best is :
Agents, Evolutionary Games, and Social Networks"
http://www.cdm.lcs.mit.edu/ftp/lmui/computational%20models%20of%20trust%20and%20reputation.pdf
I've been thinking lately about trying to form an abstraction
framework that could include the following 4 web of trusts:
http://trustmap.org/
http://bitcoin-otc.com/trust.php
http://www.gswot.org/
http://xmlns.com/wot/0.1/
Would love to know if there are any other relatively "open" trust
systems out there.
>
> Regards
> John B.
>
>
>
>
> On 2012-02-16, at 6:12 PM, Allen Tom wrote:
>
>> Hi Francisco,
>>
>> Thanks for sharing!
>>
>> One of the appealing aspects of your proposal is that it enables users to login with an account from any OpenID Provider, as opposed to being limited to a small set of NASCAR buttons. However, websites generally limit the choices available to users in order to persuade the user to login using a high value account with data and services (name, verified email address, social sharing, profile, Likes, etc).
>>
>> In practice, not many websites want to users to login with 3rd party accounts unless they're guaranteed to get some data/services - it seems that most sites would rather have the user register a new local account with a password if the user doesn't want to use one of the NASCAR buttons. Account Chooser and Mozilla's BrowserID are both relatively email-address centric because verified email address seems to be the bare minimum that sites need to to get in order to justify accepting a 3rd party login relative to just registering a local account.
>>
>> Does your proposal have a way for an RP to specify the requirements for accounts that are acceptable for users to login with? For instance, an RP may only accept OpenIDs from OPs that share the user's verified email address.
>>
>> Thanks
>> Allen
>>
>> _______________________________________________
>> general mailing list
>> general at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-general
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
More information about the general
mailing list