<html>
<head>
<style>
P
{
margin:0px;
padding:0px
}
body
{
FONT-SIZE: 10pt;
FONT-FAMILY:Tahoma
}
</style>
</head>
<body>
Henry, whilst i like this idea, i wonder how much of this could be solved by a trust system in place .. similar to the system already used by certificates.<BR>
<BR>
The main problem with certs is that it requires a lot of work for the user. However, OpenID does not and so although on its own it is not as secure as certificates, it does seem (to me) to have much in common.<BR>
<BR>
Now, i'm not sure what and how much people have discussed on this list (i try to keep up), but i'd figure that a system of trusted delegation and revocation would work well even in an extended OpenID world.<BR>
<BR>
So your Engineering team and Sun would have a two way trust system (or asymmetrical trust if you wished) so that an authenticated OpenID for either would be trusted in the other... and further could be used as part of authorization. Whether this worked as a browser redirect, or even better, using some delegated service authentication call is another question (the latter being worked on at the moment i believe).<BR>
<BR>
I think if we start trying to think of sychronized passwords and so on we are in for a world of pain. I imagine someone on this list is either thinking or doing something about a distributed trust network for OpenID providers?<BR>
<BR>
Revocation is a little tricker, but feasible.<BR>
<BR>
steven<BR>
<A href="http://livz.org">http://livz.org</A><BR><BR>> From: henry.story@bblfish.net<BR>> Date: Tue, 7 Aug 2007 11:46:40 +0200<BR>> To: pwilliams@rapattoni.com<BR>> CC: general@openid.net<BR>> Subject: Re: [OpenID] openid and acl's<BR>> <BR>> <BR>> On 4 Aug 2007, at 19:30, Peter Williams wrote:<BR>> <BR>> ><BR>> ><BR>> > In "A Foaf File for Sun" [1] I argue that the Authorization service<BR>> > can be thought of as a group identifier. The Authorization <BR>> > service is<BR>> > a group membership verifier.<BR>> > <BR>> > This can be used to give people access to different parts of the web<BR>> > using RDF. An example I give is how this could be used to make <BR>> > access<BR>> > to the W3C just a question sending someone Sun's foaf file.<BR>> > <BR>> > <BR>> > Henry<BR>> > <BR>> > [1] http://blogs.sun.com/bblfish/entry/a_foaf_file_for_sun <BR>> > <http://blogs.sun.com/bblfish/entry/a_foaf_file_for_sun><BR>> <BR>> Just to be critical of my own proposal first.<BR>> <BR>> Whilst using the Authorization service as a group identifier makes <BR>> sense, it can be criticized for not scaling in the right way. If <BR>> every group tried to have an authorization server then one would be <BR>> back to square one, namely having to remember one password per group. <BR>> Well at least one would only need to remember on openid, this openid <BR>> pointing to each of the authorisation servers.<BR>> <BR>> Perhaps the idea of having a number of authorization servers can be <BR>> made to make sense. If the OpenId had a foaf representation then it <BR>> could express which authorisation servers we linked to which groups. <BR>> My foaf file could be written like this:<BR>> <BR>> @prefix oid: <http://openid.org/tmp/ont#> .<BR>> @prefix foaf: <http://xmlns.com/foaf/0.1/> .<BR>> <BR>> <me> a foaf:Person;<BR>> foaf:firstName "Henry";<BR>> foaf:family_name "Story";<BR>> foaf:mbox <mailto:henry.story@bblfish.net>;<BR>> foaf:openid [ = <http://openid.sun.com/bblfish>;<BR>> oid:service [ = <https://openid.sun.com/openid/ <BR>> service>;<BR>> is oid:memberIdService of <http:// <BR>> sun.com/data#sunw> ],<BR>> [ = <https://openid.sun.com/openid/ <BR>> engineer/Service;<BR>> is oid:memberIdService of <http:// <BR>> sun.com/data#engineer> ] .<BR>> <BR>> <BR>> This is saying in short that my openid has two services, one of them <BR>> shows that I am a member of Sun Microsystems, the other that I am <BR>> member of the sun engineering team. One could imagine that both of <BR>> those use the same authentication password, so as not to be so <BR>> troublesome.<BR>> <BR>> As the above is a little complex, (I am using the inverse relation of <BR>> oid:memberIdService for example), here is the same thing illustrated <BR>> graphically:<BR>> <BR>> <BR>> <BR>> <BR><BR><br /><hr />See what you’re getting into…before you go there <a href='http://newlivehotmail.com/?ocid=TXT_TAGHM_migration_HM_viral_preview_0507' target='_new'>See it!</a></body>
</html>