<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Hi Nate<div><br></div><div>I may have misinterpreted the discussion, but the OP reputation conversation seemed to be around wanting to know if the OP was spammy, is reliable etc. -> I think the email analogy works well there.</div><div><br></div><div>As for knowing there was strong authentication used at an OP by a user, I would propose that a claim made be a trusted strong auth vendor be requested by the RP. </div><div>To elaborate, any OP could acquire a strong auth solution from a certified vendor and then offer that service to its users. This separates the function of strong authentication from the function of being an OP.</div><div><br></div><div>Given the goal of creating an open infrastructure, I see OP reputation mechanisms to be problematic if for no other reason then it creates a closed environment of who can be an OP and you get all the issues you have today with certificate authorities.</div><div><br></div><div>OpenID reputation mechanisms are a completely different matter, as you are judging how an OpenID has been used.</div><div><br></div><div>-- Dick</div><div><br></div><div><br></div><div><div><div>On 22-May-08, at 2:04 AM, Nate Klingenstein wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "> Dick,<div><br></div><div>Most universities can't send out students' grades or other sensitive information via email, as counsel and AACRAO judged it to be a potential FERPA violation, sooo...</div><div><br></div><div>That aside, it's still an interesting parallel, given that historically universities have always provided email services for every member of the organization. Students have always been largely free to forward their mail to whomever they want, or transcribe it on their local bathroom stall. That's been their choice.</div><div><br></div><div>Some schools are now outsourcing email entirely, though. In fact, they sometimes do so using Shibboleth to leverage campus identities for email as a service. Is removing that choice by only operating outsourced email fundamentally bad?</div><div><br></div><div>Well, there are the FERPA risks and occasional subpoenas. Public universities often comply with open records laws, which impose requirements on data retention. Some people are worried about these issues, and others think they're no problem. They haven't been tested in vitro yet. Here's a recent article:</div><div><br></div><div><a href="http://www.insidehighered.com/news/2008/03/21/privacy">http://www.insidehighered.com/news/2008/03/21/privacy</a></div><div><br></div><div><div>It's a tough choice for a lot of schools. However, email is -- or, at least, it should be -- fundamentally different from identity. Email is an application. Federated identity plumbs many applications with lots of different data about individuals.</div><div><br></div><div>The quality of that data matters for some applications, particularly the ones involving financial transactions. If, for example, someone sets up an open proxy in an IP-address based access control scheme, the university's often the one that gets fined/sued. Not fun, so we'd like to do better than that.</div></div><div><br></div><div>Check out university, bank, and corporate password reset policies, for the ones that don't require some form of token. You'll find them to differ from what your average email provider does.</div><div><br></div><div>Take care,</div><div>Nate.</div><div><br></div><div><div><blockquote type="cite"><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><font face="Helvetica" size="3" style="font: 12.0px Helvetica">Curious how you determine the reputation of the email provider for your users.</font></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><font face="Helvetica" size="3" style="font: 12.0px Helvetica">Email contains very sensitive, private information and likely falls under the same privacy laws and FERPA.</font></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 12px/normal Helvetica; min-height: 14px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><font face="Helvetica" size="3" style="font: 12.0px Helvetica">I don't see alot of difference between an OpenID Provider and an Email Provider.</font></div> </blockquote></div><br></div></div></blockquote></div><br></div></body></html>