The CardSpace factor

Drummond Reed drummond.reed at cordance.net
Sat Feb 17 02:57:49 UTC 2007 

It appears to me that with OpenID and CardSpace, all four options for
asserting a public personal identifier (PUBPID for this message) via an
infocard are valid:

1) Self-asserted card, PUBPID validated via OpenID
2) Self-managed card[*], PUBPID validated via OpenID
3) Third-party asserted card, PUBPID validated via OpenID
4) Third-party asserted card, PUBPID validated via CardSpace signature

[*] This is the option described by Eric where a user manages their own
cards at a third party i-broker.

However only #4 takes full advantage of CardSpace third-party claim
verification. The other three simply transport the claim via CardSpace and
then require OpenID authentication to verify it.

For #4 to be trusted, however, the third party must either be the issuer of
the PUBPID, or a party trusted by the RP to have done OpenID authentication
on the PUBPID (and that the PUBPID has not since been reassigned; that's
another issue ;-)

=Drummond 

-----Original Message-----
From: user-experience-bounces at openid.net
[mailto:user-experience-bounces at openid.net] On Behalf Of Eric Norman
Sent: Friday, February 16, 2007 3:40 PM
To: OpenID user experience
Subject: Re: The CardSpace factor


On Feb 16, 2007, at 3:47 PM, George Fletcher wrote:

> Actually, I don't think the issue is whether the card is self-asserted
> or managed.  The issue is how does the RP ask for a "public personal
> identifier" when it activates Cardspace with a list of claims that it
> needs.  This claim could be self-asserted or managed, though in the 
> case
> of an OpenID I agree that it probably makes more sense for that to come
> from a managed card.
>
> Thanks,
> George

That's not the way I see it.  I see the issue as being how
can the RP get the claims that the user is willing to
release.  The trick of treating the public personal
identifier as a resolvable OpenId would be one way.  I'm
suggesting that using that OpenID URL as a pointer to
a place to get "managed cards" is another.

I'm just trying to get the options on the table.

Eric Norman

> Eric Norman wrote:
>> On Feb 16, 2007, at 3:20 PM, Drummond Reed wrote:
>>
>>
>>> George,
>>>
>>> If you're nominating "public personal identifier" as the name of a
>>> proposed
>>> CardSpace attribute for an OpenID URL or XRI representing an
>>> individual on a
>>> self-asserted card, I like it. It's a perfect counterpoint to the
>>> current
>>> "private personal identifier" claim, which is really for internal
>>> CardSpace
>>> use.
>>>
>>
>> Instead of making an OpenID URL a self-asserted claim,
>> there might be another possible avenue to explore.
>>
>> Set up CardSpace such that managed cards can be supplied
>> by a user's OpenID server.  The difference is that the
>> user does the managing.  That is, it's just a matter of
>> whether the user does her self-asserting on a server of
>> her choice or on some database on her desktop.  In either
>> case, the level of assurance is the same, isn't it?
>>
>> Eric Norman
>>
>> _______________________________________________
>> user-experience mailing list
>> user-experience at openid.net
>> http://openid.net/mailman/listinfo/user-experience
>>
>>
> _______________________________________________
> user-experience mailing list
> user-experience at openid.net
> http://openid.net/mailman/listinfo/user-experience

_______________________________________________
user-experience mailing list
user-experience at openid.net
http://openid.net/mailman/listinfo/user-experience

More information about the user-experience mailing list