[Dev] Acting As If =you were @example*dept

Chasen, Les les.chasen at neustar.biz
Wed May 16 20:09:17 EDT 2007 

Or put a ref in @example*dept to =you.  If there is no authentication sep in @example*dept then the resolver should find the authentication sep for =you.  Then if I am not mistaken the op should pull the cid for =you and request appropriate password.

--------------------------
http://xri.net/=les.chasen


----- Original Message -----
From: dev-bounces at inames.net <dev-bounces at inames.net>
To: Michael Mell <mike at nthwave.net>
Cc: dev at inames.net <dev at inames.net>
Sent: Wed May 16 20:02:51 2007
Subject: Re: [Dev] Acting As If =you were @example*dept

I think it would probably work, but I don't envy anyone trying to implement an OP that supports it. There will be a lot of redirecting to get right.

A simpler solution might be OpenID Delegation, but with that you would have to give the @example*dept password to =me and =you. 

-Markus


On 5/17/07, Michael Mell <mike at nthwave.net> wrote:

	An ibroker Customer has registered @example. Customer has a Legacy
	system which can only be configured to grant access to a single
	identifier, in this case, @example*dept. Customer wants =you and =me
	to authenticate using OpenID 1.1 to this system /as/ @example*dept
	without giving the @example*dept password to either =you or =me.
	
	I see a very simple way to implement this: The OP will enable
	@example*dept to create and manage a list of inames that are 
	permitted to Act As @example*dept. The registrant enters =you and =me
	to this mapping. After creating the mapping, =you will enter
	"@example*dept" at the OpenID login box at the Legacy RP. The browser
	will be redirected to the OP for @example*dept. The OP will recognize
	that @example*dept has Acting As mappings so, in addition to the
	usual password field, the OP will present an iname form field to
	allow =you or =me to authenticate to the OP as =you or =me. After 
	verifying the =you or =me password, the OP will redirect the browser
	back to the Legacy RP with the appropriate @example*dept tokens to
	confirm authentication as @example*dept.
	
	The OP will not accept Acting As authentications to manage the 
	account -- =you may not Act As @example*dept at the OP.
	
	This method could be extended a step further so that the mapping list
	is irrelevant and any OP account can Act As a configured account such
	as @anonymous. Clearly the @anonymous registrant and Acting As users 
	would need to be educated about the effects of this authentication.
	
	As I understand the term, this is a form of directed identity. Do
	people see this as a valuable feature in an OP?
	
	Thanks,
	Mike
	
	_______________________________________________
	Dev mailing list
	Dev at inames.net
	http://dev.inames.net/mailman/listinfo/dev <http://dev.inames.net/mailman/listinfo/dev> 
	


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://dev.inames.net/pipermail/dev/attachments/20070516/2b56421e/attachment.html

More information about the Dev mailing list