<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
The OpenID model is scalable, in the sense that it scales well for both
low security situations (the vast majority of interactions, allowing
for wide deployment) and allows for trust mechanisms to address higher
security situations. It's quite possible for a given RP to trust my
IDP without verification for me to contact customer service, but if I
request an (outbound) transfer, I'm going to need to be using a well
known & trusted IDP or provide alternate authentication. But I
don't need to require that until I need to do something that requires
such security.<br>
<br>
Andrew Arnott wrote:
<blockquote
cite="mid:216e54900810190951g1fef9891teee244eb32564e3a@mail.gmail.com"
type="cite">
<div dir="ltr">I don't think Shane was saying it's great for
low-security needs. But if you don't feel you can trust a random OP,
Shane was saying you as an RP can choose to trust only certain OPs so
they are not random. Microsoft HealthVault is an example of an RP that
chooses merely 3 OPs to trust. The OPs on the other hand don't have to
do any extra work.<br>
<br>
<div class="gmail_quote">On Sun, Oct 19, 2008 at 9:45 AM, Brandon
Ramirez <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:brandon.s.ramirez@gmail.com">brandon.s.ramirez@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div dir="ltr">So it's great security if you need very little
security?<br>
<br>
Transactions of value are precisely where we need federated identity.
I have different logins for my bank, credit card company, car
insurance, every everything under the sun. Except I can share identity
between my blog and a site like Flicker.<br>
<font color="#888888">
<br>
- Brandon</font>
<div>
<div class="Wj3C7c"><br>
<br>
<div class="gmail_quote">On Sun, Oct 19, 2008 at 12:36 PM, Shane B
Weeden <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:sweeden@au1.ibm.com" target="_blank">sweeden@au1.ibm.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
<tt><font size="2">Brandon: <br>
> [...] Why should I trust a random OP?<br>
> <br>
</font></tt>
<br>
<tt><font size="2">You shouldn't, and nobody is claiming you
should for
any transaction of value. What does excite me about OpenID (and
InfoCard
for that matter) over other SSO protocols like SAML is the zero cost of
onboarding additional RP's if I am acting as an IDP. All the RP needs
to
do (besides following a best-practices secure deployment model) is
define
that they trust the IDP (e.g. for OpenID define a trusted list of OP
endpoints)
and the IDP need do nothing in particular.</font></tt>
<br>
<br>
<tt><font size="2">Sure, there are dynamic extensions to SAML
like those
defined by Shibboleth for dynamic metadata sharing, but out-of-the-box
nothing I've been exposed to thus far quite matches the simplicity of
the
OpenID model.</font></tt>
<br>
<font color="#888888"><br>
<tt><font size="2">=shane</font></tt></font></blockquote>
</div>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
general mailing list<br>
<a moz-do-not-send="true" href="mailto:general@openid.net">general@openid.net</a><br>
<a moz-do-not-send="true"
href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
general mailing list
<a class="moz-txt-link-abbreviated" href="mailto:general@openid.net">general@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a>
</pre>
</blockquote>
<br>
</body>
</html>