[Dev] Acting As If =you were @example*dept

Gabe Wachob gabe.wachob at amsoft.net
Wed May 16 22:38:42 EDT 2007 

I'm not sure this is an inames- specific question, right? 

You're saying basically that authentication to the OP can be done with a
different ID, and perhaps done with OpenID, than the ID claimed at the
OpenID RP. 

This seems pretty straightforward to me - it's a matter of asking for a
normal username/password login at the OP, or doing openid authentication for
=you/=me where the OP turns around and acts like an RP (a chain of OpenID
authentication), or doing cardspace authentication to the OP. 

Its all perfectly legit from what I can tell, and I don't see how it relates
to XRDS, etc --- isn't it just a matter of local policy at the OP? 

	-Gabe

> -----Original Message-----
> From: dev-bounces at inames.net [mailto:dev-bounces at inames.net] On Behalf Of
> Michael Mell
> Sent: Wednesday, May 16, 2007 4:33 PM
> To: dev at inames.net
> Subject: [Dev] Acting As If =you were @example*dept
> 
> An ibroker Customer has registered @example. Customer has a Legacy
> system which can only be configured to grant access to a single
> identifier, in this case, @example*dept. Customer wants =you and =me
> to authenticate using OpenID 1.1 to this system /as/ @example*dept
> without giving the @example*dept password to either =you or =me.
> 
> I see a very simple way to implement this: The OP will enable
> @example*dept to create and manage a list of inames that are
> permitted to Act As @example*dept. The registrant enters =you and =me
> to this mapping. After creating the mapping, =you will enter
> "@example*dept" at the OpenID login box at the Legacy RP. The browser
> will be redirected to the OP for @example*dept. The OP will recognize
> that @example*dept has Acting As mappings so, in addition to the
> usual password field, the OP will present an iname form field to
> allow =you or =me to authenticate to the OP as =you or =me. After
> verifying the =you or =me password, the OP will redirect the browser
> back to the Legacy RP with the appropriate @example*dept tokens to
> confirm authentication as @example*dept.
> 
> The OP will not accept Acting As authentications to manage the
> account -- =you may not Act As @example*dept at the OP.
> 
> This method could be extended a step further so that the mapping list
> is irrelevant and any OP account can Act As a configured account such
> as @anonymous. Clearly the @anonymous registrant and Acting As users
> would need to be educated about the effects of this authentication.
> 
> As I understand the term, this is a form of directed identity. Do
> people see this as a valuable feature in an OP?
> 
> Thanks,
> Mike
> 
> _______________________________________________
> Dev mailing list
> Dev at inames.net
> http://dev.inames.net/mailman/listinfo/dev

More information about the Dev mailing list