<html>
<head>
<style>
P
{
margin:0px;
padding:0px
}
body
{
FONT-SIZE: 10pt;
FONT-FAMILY:Tahoma
}
</style>
</head>
<body>I like the idea of this Henry - quite simple really. The issue is how to create sub-groups etc - it seems your solution works for specific id's and for the provider in general as a group.<BR><BR>
The difficulty in using SAML/XACML in my view is in implementation - they are quite large specs and I think OpenID has done well in that it hasn't to overly complex. It's balance as i could easily accomplish defining who is to access resource X, if i were to simply take the URI for resource X and add one or more OpenID's to it (permitting access) and sign this with my OpenID. I could store this data anywhere - independently of my FOAF data.<BR>
<BR>
This may not be ideal in a purist view, but i could have this working in two hours. Implementing SAML/XACML is quite a bit more complex (in fact looking through the archives i see this has been brought up before).<BR>
<BR>
Henry - your blog discusses something that would be simple to implement which is why i like it. I can see how it could be extended as i discuss above to allow (lightweight) distributed access controls... in fact a third party taking two independently authenticated OpenID's could verify access to a resource as a service i would think.<BR>
<BR>
The question in doing something like this is how far do you want to go. I remember back in 2000 or so many groups i worked on creating Xml Schemas that covered every scenario possible and they were just never adopted... a good example is the success of RSS over NewsML, one is a couple of pages long in spec, the other about 50 :) I personally thing lightweight authorization through OpenID would be a nice start.<BR>
<BR>
steven<BR>
<A href="http://livz.org">http://livz.org</A><BR>
<BR> <BR>
<HR id=stopSpelling>
<BR>
> From: henry.story@bblfish.net<BR>> Date: Sat, 4 Aug 2007 08:40:04 +0200<BR>> To: joseph@josephholsten.com<BR>> CC: scott@kveton.com; general@openid.net<BR>> Subject: Re: [OpenID] openid and acl's<BR>> <BR>> On 3 Aug 2007, at 19:59, Joseph Holsten wrote:<BR>> > Scott Kveton wrote:<BR>> >>> Anyone discussed the idea of using OpenID as a basis for a <BR>> >>> distributed ACL's<BR>> >>> system?<BR>> > One thing that's important about ACLs is grouping. You wouldn't acces<BR>> > a firewall that requires you to type in every single IP address. You<BR>> > wouldn't use windows permissions where you needed to specify every<BR>> > user's access.<BR>> ><BR>> > Has someone proposed a wildcard scheme or group identifier via OpenID,<BR>> > because that would be awesome.<BR>> <BR>> <BR>> In "A Foaf File for Sun" [1] I argue that the Authorization service <BR>> can be thought of as a group identifier. The Authorization service is <BR>> a group membership verifier.<BR>> <BR>> This can be used to give people access to different parts of the web <BR>> using RDF. An example I give is how this could be used to make access <BR>> to the W3C just a question sending someone Sun's foaf file.<BR>> <BR>> <BR>> Henry<BR>> <BR>> [1] http://blogs.sun.com/bblfish/entry/a_foaf_file_for_sun<BR>> <BR>> _______________________________________________<BR>> general mailing list<BR>> general@openid.net<BR>> http://openid.net/mailman/listinfo/general<BR><BR><br /><hr />Messenger Café — open for fun 24/7. Hot games, cool activities served daily. <a href='http://cafemessenger.com?ocid=TXT_TAGLM_AugWLtagline' target='_new'>Visit now.</a></body>
</html>