[Dev] Acting As If =you were @example*dept

Michael Mell mike at nthwave.net
Thu May 17 11:40:43 EDT 2007 

On May 16, 2007, at 5:09 PM, Chasen, Les wrote:

> Or put a ref in @example*dept to =you.  If there is no authentication 
> sep in @example*dept then the resolver should find the authentication 
> sep for =you.  Then if I am not mistaken the op should pull the cid 
> for =you and request appropriate password.

Hi Les,
I have two problems with that approach:
1) When using a ref, the XRDS and canonical id of the Referred (e.g. 
=you) Iname is returned from resolution. So with a ref on @example*data 
to =you, resolving @example*data would return the XRDS for =you. That's 
not the desired behavior.

2) =you AND =me must both have rights as @example*dept. A ref to =you 
cuts out =me.


On May 16, 2007, at 5:02 PM, Markus Sabadello wrote:

> I think it would probably work, but I don't envy anyone trying to 
> implement an OP that supports it. There will be a lot of redirecting 
> to get right.

Ok, I'll worry about that part. Though I don't see this as complicated 
at all.

> A simpler solution might be OpenID Delegation, but with that you would 
> have to give the @example*dept password to =me and =you.

That's not acceptable in this use case. The password must remain 
private with the registrant of @example*dept to maintain OP account 
control.


Thanks
Mike



>  On 5/17/07, Michael Mell <mike at nthwave.net> wrote:
>
>          An ibroker Customer has registered @example. Customer has a 
> Legacy
>          system which can only be configured to grant access to a 
> single
>          identifier, in this case, @example*dept. Customer wants =you 
> and =me
>          to authenticate using OpenID 1.1 to this system /as/ 
> @example*dept
>          without giving the @example*dept password to either =you or 
> =me.
>         
>          I see a very simple way to implement this: The OP will enable
>          @example*dept to create and manage a list of inames that are
>          permitted to Act As @example*dept. The registrant enters =you 
> and =me
>          to this mapping. After creating the mapping, =you will enter
>          "@example*dept" at the OpenID login box at the Legacy RP. The 
> browser
>          will be redirected to the OP for @example*dept. The OP will 
> recognize
>          that @example*dept has Acting As mappings so, in addition to 
> the
>          usual password field, the OP will present an iname form field 
> to
>          allow =you or =me to authenticate to the OP as =you or =me. 
> After
>          verifying the =you or =me password, the OP will redirect the 
> browser
>          back to the Legacy RP with the appropriate @example*dept 
> tokens to
>          confirm authentication as @example*dept.
>         
>          The OP will not accept Acting As authentications to manage the
>          account -- =you may not Act As @example*dept at the OP.
>         
>          This method could be extended a step further so that the 
> mapping list
>          is irrelevant and any OP account can Act As a configured 
> account such
>          as @anonymous. Clearly the @anonymous registrant and Acting 
> As users
>          would need to be educated about the effects of this 
> authentication.
>         
>          As I understand the term, this is a form of directed 
> identity. Do
>          people see this as a valuable feature in an OP?
>         
>          Thanks,
>          Mike
>         
>          _______________________________________________
>          Dev mailing list
>          Dev at inames.net
>          http://dev.inames.net/mailman/listinfo/dev 
> <http://dev.inames.net/mailman/listinfo/dev>
>         
>
>
>

More information about the Dev mailing list