[PROPOSAL] authentication age

Drummond Reed drummond.reed at cordance.net
Thu Oct 5 04:33:27 UTC 2006 

+1 to one key takeaway from this whole thread: that the
marketing/evangelism/messaging around OpenID MUST be very careful to clearly
communicate, in Gabe's words, "what it can and cannot do right now".
Especially when it comes to hard problems like authentication context and
circles of trust that SAML and Liberty Alliance have been cranking for 5+
years at. As long as we " communicated clearly so expectations aren't raised
and then not met" then we should give OpenID the runway it needs to grow
into those problems, just like 802.11 started "thin" and grew to become
nearly ubiquitous.

=Drummond 

-----Original Message-----
From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf
Of Gabe Wachob
Sent: Wednesday, October 04, 2006 9:09 PM
To: 'Chris Drake'
Cc: specs at openid.net
Subject: RE: Re[4]: [PROPOSAL] authentication age

Chris-
	I don't mean to be pessimistic about OpenID *AT ALL* - I truly do
believe that OpenID *WILL* get to the point where its valuable for the Visas
of the world. I don't want to stall it for the other use cases that are
motivating the people who are currently involved - I think OpenID can
quickly evolve when needed. OpenID should be as lightweight as needed for
the use case - and I so I think OpenID is great where it is. 
	Its just that we have to be clear what its trying to do today and
what it is NOT trying to do. I think we'll surprise some people (like you) -
but in the long run, the credibility will be there - I *KNOW* the folks who
are involved with OpenID are smart and know what it can and cannot do right
now. We just have to make sure that its being communicated clearly so
expectations aren't raised and then not met...

	-Gabe

> -----Original Message-----
> From: Chris Drake [mailto:christopher at pobox.com]
> Sent: Wednesday, October 04, 2006 9:00 PM
> To: Gabe Wachob
> Cc: 'Kevin Turner'; specs at openid.net
> Subject: Re[4]: [PROPOSAL] authentication age
> 
> Hi Gabe,
> 
> Beautifully worded, and (IMHO) an extremely valuable real-world
> opinion.  I too believe OpenID is currently a "non-starter".  I have
> dual vested interests:  I want OpenID to succeed, *especially* for RPs
> like Visa, since my IdP makes money from supporting OpenID only when
> OpenID ends up getting used.  I also believe that an IdP (and mine in
> particular) is well suited for deploying secure technology (eg: two
> factor tokens).  If, aside from making OpenID actually *work* for the
> likes of Visa, we can build in the ability to provide a tangible
> *benefit* to Visa from using it (that is: allow visa to REQUIRE that a
> user has authenticate via two-factor means, to an accredited - i.e:
> explicitly trusted by Visa - IdP) then we've not only cemented the
> future of OpenID, we've gone an improved a pile of security problems
> along the way.
> 
> Kind Regards,
> Chris Drake
> 1id.com
> 
> Thursday, October 5, 2006, 1:41:34 PM, you wrote:
> 
> GW> Chris-
> GW> 	As someone who has recently come from working in the financial
> GW> sector (Visa), its clear that OpenID is NOT intended for
> authentication
> GW> where the *relying party* cares about how the authentication is
> performed.
> 
> GW> 	At places like Visa and for home banking, this means that OpenID,
> GW> without something more, is clearly a . These relying parties want
> GW> to know exactly how their users are being authenticated because their
> GW> business is all about risk management and creating business
> opportunities
> GW> around very good knowledge of the risk profile of each transaction
> type.
> 
> GW> 	That all being said, I believe it should be possible to layer on
> GW> OpenID a form of IDP control such that a relying party can require a
> certain
> GW> class or group of IDPs be used when presenting authentication
> assertions to
> GW> them. The actual *policy* for how these IDPs are approved is probably
> GW> orthogonal to the protocol spec, but "secure" identification of those
> IDPs
> GW> (relative to some trust root, etc) could probably be made into an
> extension
> GW> usable for those parties who want it.
> 
> GW> 	My guess is that culturally, most people involved in OpenID have
> GW> *not* been interested in addressing these concerns. However,
> expectations
> GW> need to be better managed around these sort of "relying-party cares"
> GW> scenarios, because its not obvious without actually reading the specs
> GW> themselves...
> 
> GW> 	-Gabe
> 
> >> -----Original Message-----
> >> From: specs-bounces at openid.net
> >> [mailto:specs-bounces at openid.net] On Behalf
> >> Of Chris Drake
> >> Sent: Wednesday, October 04, 2006 8:26 PM
> >> To: Kevin Turner
> >> Cc: specs at openid.net
> >> Subject: Re[2]: [PROPOSAL] authentication age
> >>
> >> Hi Kevin,
> >>
> >> Sounds like you're leaning towards a root authority for IdPs who can
> >> audit procedures and verify protection in order to sign the IdP's
> >> keys?
> >>
> >> Joe blogger doesn't care much about identity assertions from an IdP,
> >> but it's a reasonable bet to expect that a Bank might care...
> >>
> >> Kind Regards,
> >> Chris Drake
> >>
> >>
> >> _______________________________________________
> >> specs mailing list
> >> specs at openid.net
> >> http://openid.net/mailman/listinfo/specs
> 


_______________________________________________
specs mailing list
specs at openid.net
http://openid.net/mailman/listinfo/specs

More information about the specs mailing list