Skip to Content.
Sympa Menu

shibboleth-dev - RE: [Shib-Dev] Special Call: Practices with OpenID -- 12/13/2010 -- 12:00 pm EST, 9:00 am PST

Subject: Shibboleth Developers

List archive

RE: [Shib-Dev] Special Call: Practices with OpenID -- 12/13/2010 -- 12:00 pm EST, 9:00 am PST


Chronological Thread 
  • From: Peter Williams <>
  • To: "" <>
  • Subject: RE: [Shib-Dev] Special Call: Practices with OpenID -- 12/13/2010 -- 12:00 pm EST, 9:00 am PST
  • Date: Fri, 10 Dec 2010 10:52:54 -0800
  • Accept-language: en-US
  • Acceptlanguage: en-US

What is the wider context here? It seems a reversal of years of denial on websso.

 

To research formalities. The UK academic community spent >$50k of public money proving that only 3 people in all of UK academia ever used openid (and 2 of them were the developers on the research team). They concluded from their own proof that there was no demand, and then no basis for demand. Folks seem to reason then from their assumptions, asking: who would possibly want innately low assurance?

 

What has occurred or changed in the US academia community that induces rejection of that UK conclusion? Is there now a realization that there was a false assumption in the basis of the UK research plan – one that inaccurately tied openid to the world of low assurance?

 

To be fair to the UK folks, OpenID has changed a lot since that research project presented its conclusions to its funding agency. Nowadays, OpenID is very much more than either a protocol or a user-centric identity concept: it’s very much about mandatory UI discipline on SPs – at least for the processes performed at  the IDP site. This practice follows the path that Facebook Connect trampled through the websso jungle -- a path that the firm’s researchers forged when discovering a viable, mass adoption pattern for consumer-grade webSSO. Hopefully, we all recall the takeoff of Facebook Connect - that put the rest of us researching adoption patterns to shame!

 

Now, as a protocol guy, it irks me no end that the theories of mass adoption I had to study – as taught in the usual IT schools - don’t appear to hold in the websso case (or any other case involving digital signatures, for that matter). But Im a realist – trained to keep my eye on the ball: mass adoption! If the UI folks in the industry research labs have made the breakthrough by finding viable, UI-based integration patterns for trustworthy session-handoffs between trusting websites, then so be it.

 

From: [mailto:] On Behalf


I'm writing on behalf of Keith Hazelton (chair of the mace-dir working group) and myself (Shibboleth Project Manager). All of you have recently mentioned or described work that you've undertaken (or are about to start) related to allowing people to authenticate with OpenID and then access Service Provider sites on your campuses.


We'd like to use that call to 1) start to identify the common requirements, 2) identify a list of directions among which we have to choose, and 3) start on a crisper statement of the scope of the work.



Archive powered by MHonArc 2.6.16.

Top of Page