<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.apple-style-span
{mso-style-name:apple-style-span;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple style='word-wrap: break-word;
-webkit-nbsp-mode: space;-webkit-line-break: after-white-space'>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Thanks Nate. I didn’t realize there was a Information Card foundation
too.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Slight aside, but is there an “Identity Foundation”? A group of
people and resources from each of these projects that as consumers we could
follow easier? Would be nice if there was a advantages/disadvantages,
libraries, suggested architecture and so on to help decision makers (not just
business, but technical level).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>You see my point to them was that Shibboleth will be useful for
users under their control and their core applications, but OpenID would be very
good for their public forums, discussions and so on – things that are to be
more fluid. I would love to point them at a “proven/suggested architecture” diagram
rather than creating my own.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>steven<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>http://livz.org<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Nate Klingenstein
[mailto:ndk@internet2.edu] <br>
<b>Sent:</b> 04 November 2008 12:20<br>
<b>To:</b> Steven Livingstone-Perez<br>
<b>Cc:</b> 'Rebecca Cannon'; general@openid.net<br>
<b>Subject:</b> Re: [OpenID] Real Identity Verification<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Steven,<o:p></o:p></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<div>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal><span class=apple-style-span><span style='font-size:9.0pt;
color:#0000DD'>They are likely to go with Shibboleth (currently using Athens)
at the core because of the higher level of trust and verification as compared
to OpenID.</span></span><span style='color:black'><o:p></o:p></span></p>
</blockquote>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>The UK Federation for Access Management is up to 618 members
(<a href="http://www.ukfederation.org.uk">http://www.ukfederation.org.uk</a>/),
and they're working very hard to ensure a consistently good level of practices
and trust throughout. It's truly multilateral and a high level of
assurance, and they've done excellent work.<o:p></o:p></p>
</div>
<p class=MsoNormal><br>
<br>
<o:p></o:p></p>
<p class=MsoNormal><span class=apple-style-span><span style='font-size:9.0pt;
font-family:"Calibri","sans-serif";color:#0000DD'>I argued that to the public
user OpenID is much easier to attain and run with – especially with Google.
Microsoft, Yahoo etc now supporting it.</span></span><span style='color:black'><o:p></o:p></span></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>This is no doubt true, but I think that Yahoo, Microsoft,
and Google offer a very different level of trust and verification with their
email accounts. They've got a business to run.<o:p></o:p></p>
</div>
<p class=MsoNormal><br>
<br>
<o:p></o:p></p>
<p class=MsoNormal><span class=apple-style-span><span style='font-size:9.0pt;
color:#0000DD'>There was also the argument that you can protect resources
directly using Shibboleth. Now maybe someone working on this can correct me,
but my guess is that if you can’t already, you will soon be able to map an
OpenID to a token (say a SID in windows) and you’ll protect resources using the
common operating system rather than a brand new way of protecting resources.
True?</span></span><span style='color:black'><o:p></o:p></span></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Shibboleth's SP design is more at work here than anything
protocol-related here. The SP is built to protect resources and paths
directly, like a filter, with very little to no modification of or integration
into the application. As far as integration with the operating system
goes, if CardSpace rises from the grave -- four days too late for that metaphor
to be good -- then we'll all be in good shape regardless. Microsoft's new
Geneva identity suite will probably offer a lot of integration, with all the
good and "aaaargh" that comes with that.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal><a
href="http://www.theregister.co.uk/2008/10/30/microsoft_generva_hailstorm/">http://www.theregister.co.uk/2008/10/30/microsoft_generva_hailstorm/</a><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>I'd like to remind people to focus a little less on
protocols we use and a little more on trust structures. OpenID as a
protocol couldn't support these trust structures today, partially by design;
that could change in the future as the set of deployers changes. Today,
Shibboleth is, in my incredibly biased opinion, a fine choice for your
application that requires trusted identity from known sources and privacy for
your users.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Thanks for the interesting anecdote,<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>Nate.<o:p></o:p></p>
</div>
</div>
</body>
</html>