Hi Nate,<br><br>Please see inline..<br><br><br><div class="gmail_quote">On Sat, May 31, 2008 at 4:18 PM, Nate Klingenstein <<a href="mailto:ndk@internet2.edu">ndk@internet2.edu</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Babu,<div class="Ih2E3d"><br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Babu> The problem with today's reality is that my "digital identity" is lost if the OP shuts down his services or I would like to migrate.<br>
</blockquote>
<br></div>
That's true, but some important identity information is difficult to separate from the OP. For example, our universities often maintain whether someone is a student. Students get access to services that they university has licensed.<br>
<br>
Imagine one of our students wants to export their identity. Now their new OP has to convince RP's that they are a <a href="mailto:student@example.edu" target="_blank">student@example.edu</a>. Remember that <a href="mailto:student@example.edu" target="_blank">student@example.edu</a> gets you access to expensive, licensed stuff. That makes it difficult and costly for the RP to trust any OP in the world to state <a href="mailto:student@example.edu" target="_blank">student@example.edu</a>. Do we give the OP a signed blob saying "<a href="mailto:userid@outsourced.org" target="_blank">userid@outsourced.org</a>, expiration, <a href="mailto:student@example.edu" target="_blank">student@example.edu</a>, quoth me"? I don't want to deal with attribute revocation...<br>
</blockquote><div><br>Babu> This issue remains even for today's OpenID solution ? How can an OP
vouch whether someone is "someone he claims to" (in the case above, whether
someone is a student) ? All that OpenID is trying to solve is to centralize
one's identity to a single place. As I understand, OpenID doesn't give a trust
that this digital ID belongs to so-and-so person with so-and-so attributes.
<br><br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
I agree that, for many use cases, data portability is important and good. However, if I wanted to introduce it to our real deployments of federated identity, I'd have to solve these difficult problems. We're probably talking about pretty different use cases, so you might not face the same problems.<br>
</blockquote><div><br>Babu> Some people even argue that the problem OpenID is trying to solve
(eliminating the need for multiple usernames & passwords) itself is not that
big an issue. But we are solving it. And we all believe that its good for us
going forward and thats what keeps us connected here :). <br><br>On the same
lines, we can solve the data portability issue too.<br><br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
Attribute aggregation and identifier portability are a more likely outcome for us, but they have their own challenges. There's a lot of thinking to be done here.<div class="Ih2E3d"></div></blockquote><div><br>Babu> Okay. What are the channels provided in OpenID group to initiate such
process ?<br><br>Lets take take the issues we are discussing here to a forum
where a decision can be taken on whether OpenID goals should be reframed to
have:<br> - OP-independent/global digital identity (to be created by user at
central digital identity server)<br> - RPs to contact central digital
identity server to identify the current OP of a digital ID<br> - data
migration across OPs<br><br>Do we have a process/channel in OpenID to propose
suggestions to existing framework ? Or is it closed only to some internal
technical members of OpenID ?<br><br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d"><br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
But in the case of DNS, the registered domain name remains forever.<br>
</blockquote>
<br></div>
Try out "whois", or check in with me on May 4, 2011. :D<div class="Ih2E3d"><br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Babu> Even with today's OP-specific-digital-identities, we have phishing issue. What does an user do if he is phished. After this if the attacker changes the password, does the user not loose all the webiste accounts at which this OP-specific-digital-identity was used ?<br>
</blockquote>
<br></div>
Let me explain a little more. Universities, being big, juicy targets, are often targeted by spear phishing. An attacker poses as the university to try to steal user credentials. Some hundreds of students and staff are usually fooled. When they realize what they've done -- or, more often, after we realize what they've done and lock the account -- they call the help desk.<br>
<br>
We go through re-credentialing, which requires you supply various personal information or identity cards to prove you're you. Then, we change the user's password, force them to apologize and memorize what the real authentication page looks like, and clean up any messes created.<br>
<br>
Now, suppose in a world of identity portability that the attacker had migrated the user's account to a namespace and server they control. What does the help desk do now?<br>
</blockquote><div><br>Babu> If the university needs a identity that they can control, they need to
use their own identity system. They may not be able to depend on public system
(like what we discussed about "central digital identity" server) for their
internal uses. The system we are discussing can only guarantee that a digital ID
is unique across Internet & can never be
lost.<br><br><br>Thanks,<br>Babu<br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
I don't have good answers, but I appreciate the dialogue and any suggestions you might have,<br><font color="#888888">
Nate.<br>
</font></blockquote></div><br>