[Dev] Acting As If =you were @example*dept

Owen Davis owen at linksafe.name
Thu May 17 11:37:03 EDT 2007 

On May 16, 2007, at 7:38 PM, Gabe Wachob wrote:

> I'm not sure this is an inames- specific question, right?

That's partly what we're trying to answer here.  We have the use case  
Mike described below and there are variations on it as well.  For  
instance; @names (like domain names) may frequently belong to  
organizations and have multiple people who have the need to  
administer the @name.  There may be different roles associated with  
the different users.  What's the best way to manage and maintain  
these roles with inames and openid?

These roles may not be limited to (or include) "authenticate as  
@example*dept".

> You're saying basically that authentication to the OP can be done  
> with a
> different ID, and perhaps done with OpenID, than the ID claimed at the
> OpenID RP.
>
> This seems pretty straightforward to me - it's a matter of asking  
> for a
> normal username/password login at the OP, or doing openid  
> authentication for
> =you/=me where the OP turns around and acts like an RP (a chain of  
> OpenID
> authentication), or doing cardspace authentication to the OP.
>
> Its all perfectly legit from what I can tell, and I don't see how  
> it relates
> to XRDS, etc --- isn't it just a matter of local policy at the OP?

It may not relate.  We were looking to (1) brainstorm and (2) do a  
sanity check.

Thanks!

Owen

>
> 	-Gabe
>
>> -----Original Message-----
>> From: dev-bounces at inames.net [mailto:dev-bounces at inames.net] On  
>> Behalf Of
>> Michael Mell
>> Sent: Wednesday, May 16, 2007 4:33 PM
>> To: dev at inames.net
>> Subject: [Dev] Acting As If =you were @example*dept
>>
>> An ibroker Customer has registered @example. Customer has a Legacy
>> system which can only be configured to grant access to a single
>> identifier, in this case, @example*dept. Customer wants =you and =me
>> to authenticate using OpenID 1.1 to this system /as/ @example*dept
>> without giving the @example*dept password to either =you or =me.
>>
>> I see a very simple way to implement this: The OP will enable
>> @example*dept to create and manage a list of inames that are
>> permitted to Act As @example*dept. The registrant enters =you and =me
>> to this mapping. After creating the mapping, =you will enter
>> "@example*dept" at the OpenID login box at the Legacy RP. The browser
>> will be redirected to the OP for @example*dept. The OP will recognize
>> that @example*dept has Acting As mappings so, in addition to the
>> usual password field, the OP will present an iname form field to
>> allow =you or =me to authenticate to the OP as =you or =me. After
>> verifying the =you or =me password, the OP will redirect the browser
>> back to the Legacy RP with the appropriate @example*dept tokens to
>> confirm authentication as @example*dept.
>>
>> The OP will not accept Acting As authentications to manage the
>> account -- =you may not Act As @example*dept at the OP.
>>
>> This method could be extended a step further so that the mapping list
>> is irrelevant and any OP account can Act As a configured account such
>> as @anonymous. Clearly the @anonymous registrant and Acting As users
>> would need to be educated about the effects of this authentication.
>>
>> As I understand the term, this is a form of directed identity. Do
>> people see this as a valuable feature in an OP?
>>
>> Thanks,
>> Mike

More information about the Dev mailing list