The CardSpace factor

[Drummond Reed]

>> On Feb 16, 2007, at 8:57 PM, Drummond Reed wrote:
>>
>> It appears to me that with OpenID and CardSpace, all four options for
>> asserting a public personal identifier (PUBPID for this message) via an
>> infocard are valid:
>>
>> 1) Self-asserted card, PUBPID validated via OpenID
>> 2) Self-managed card[*], PUBPID validated via OpenID
>> 3) Third-party asserted card, PUBPID validated via OpenID
>> 4) Third-party asserted card, PUBPID validated via CardSpace signature
>>
>> [*] This is the option described by Eric where a user manages their own
>> cards at a third party i-broker.
>
>Eric Norman wrote:
>
>I don't think that's what I'm thinking.  I'm going
>back to the beginning of this thread and thinking
>about another option other than the analogy of
>showing a business card with your OpenID URL on it.
>PUBPID is not involved in what I'm thinking.
>
>In a sense, I'm trying to come up with a trick to
>do an end run around the fact that the self-asserted
>claims of CardSpace seem to be cast in stone.
>
>I'll elaborate a bit and hope that helps.  When
>installing a managed card in your identity selector,
>there comes a time when you have to fill in a URL
>for an IdP, i.e. who will be supplying managed cards
>for you.  I'm thinking that you could put your OpenID
>URL in there.
>
> From what I understand, managed cards are much more
>flexible regarding what claims are allowed.  So the
>trick here is to use managed cards but the claims
>that they supply are really self-asserted as far as
>level of assurance is concerned.

Ah, I got it. It's like my scenario #2, except your hosting your own managed
card service at your own URL. In essential, your IdP is not really an IdP
but just a third-party hosting service providing a virtual managed card
service for you, the identity owner. You are your own IdP.

You can still send your PUBPID in that setup, and it can still be verified
using OpenID, but that's orthogonal to what you're proposing.

=Drummond