Skip to Content.
Sympa Menu

shibboleth-dev - Re: self service app for InSecure (was: SHIB design call -- (5/16/2005)...)

Subject: Shibboleth Developers

List archive

Re: self service app for InSecure (was: SHIB design call -- (5/16/2005)...)


Chronological Thread 
  • From: John-Paul Robinson <>
  • To: Tom Scavo <>
  • Cc: Scott Cantor <>, "RL 'Bob' Morgan" <>, <>
  • Subject: Re: self service app for InSecure (was: SHIB design call -- (5/16/2005)...)
  • Date: Mon, 23 May 2005 11:23:47 -0500 (CDT)
It's something I'm working on from both ends (SP and IdP) and don't know
where it belongs yet. The idea I have in mind is that an generic IdP
could provide identities (say email verified, similar to yahoo), but they
wouldn't hold much value because you really don't know who the identity
belongs to. If you could let a person with a more reliable identity
(member of InCommon) vouch for or sponser an one of these identites as
belonging to a particular person or simply being more trusted, then that
identity may be elligable for greater privileges.

This could be done at the SP, in which case you'd really be putting the
user into a group of what ever trust level you want. This wouldn't
require any additional knowlage about the person (beyond their provided
identity). It would also really only make sense in a single system
environment context, i.e where ever that group name holds meaning.

It could also be done at the IdP and in this case it could provide a way
to verify additional personal information about the owner of that
identity, eg. name, city, state or other attributes. This could then
ellivate the quality of their identity provided to all SP that trust the
IdP.

These are loose ideas. I'm in the process of setting up a very simple
open IdP (only email verified account) in order to help explore these
ideas.

~jpr

On Mon, 23 May 2005, Tom Scavo wrote:

> On 5/18/05, Scott Cantor
> <>
> wrote:
> > > That would be very useful, seems to me. Sponsored accounts is a very
> > > common concept. I think we'd like to encourage SPs to look to IdPs in
> > > general for that first level of vetting. And indeed, being fresh back
> > > from Digital ID World where new-age identity schemes (aka Identity 2.0")
> > > were the hot topic, I think there's some stuff for us university infra
> > > types to explore there, eg taking sponsorship towards "web of trust".
> >
> > Obviously the trick is to figure out where to do the federating and how
> > this
> > overlaps with proxying or self-assertion more generally. It all amounts
> > to,
> > dare I say it, claims translation?
>
> I'm afraid I lost track of this thread after the phrase "sponsored
> identity". What problem exactly are you trying to solve?
>
> > There's lots to do here.
>
> I'm still not clear what are the requirements?
>
> Tom
>


Archive powered by MHonArc 2.6.16.

Top of Page