Comments on: Why would a site adopt OpenID?

By: Azox

Azox — Fri, 23 Mar 2007 06:01:42 +0000

Awesome, man

By: Andrew

Andrew — Tue, 09 Jan 2007 19:23:34 +0000

If by "claims" you mean getting the user profile information from the person using OpenID to login to your web site, I just posted on how to do it using JanRain's assembly on my blog.

By: Blane

Blane — Fri, 24 Nov 2006 16:56:05 +0000

I see your website grabbed some claims so any insight would be much appreciated!

By: Blane

Blane — Fri, 24 Nov 2006 16:55:14 +0000

Probably not quite the place to post this comment but we are desperate. We are working on accepting user-centric identities. We plan on accepting OpenId and CardSpace. We have a similar page that whobar provides.

We develop with the JanRain .NET library from openid.org.

You mentioned in this blog OpenId mail forums and I was wondering how to get to them? We are very confused about how we get identity claims from the OpenId token.

There does not appear to be anything in the JanRain that lets you do that. Even WhoBar talks about getting the claims but when we run the code we don’t get anything.

Thanks!

By: Forsooth

Forsooth — Fri, 06 Oct 2006 07:35:42 +0000

You can’t say the bank would be liable if a user’s security is compromised because of a poor IdP. That’s tantamount to saying the bank would be liable if the user left his password taped to the monitor and his brother logged in and emptied his funds. (of course there are probably no legal precidents yet in this arena but it seems highly unlikely…)

By: Will Norris

Will Norris — Thu, 05 Oct 2006 23:45:29 +0000

@Forsooth:

There are plenty of use cases in which a Service Provider is concerned about the strength of an Identity Provider’s authentication mechanism. Imagine I’m a banking website and I allow users to login with their OpenID (I’m not sure that I’d recommend that, but just suppose..) I have a real concern with making absolutely sure that the person at the keyboard really is the person who owns a particular bank account. I am the one releasing the data (or allowing access, whatever), so it is ultimately my responsibility to authenticate the user. As a convenience I may delegate this authentication to another party, but in the end it is still my responsibility. Granted, they have a responsibility of choosing a good IdP, but I would also have a liability risk if I release someone’s personal banking data because I didn’t adequately authenticate the user. Requiring a specific level of assurance would alleviate this to a certain degree. (Of course as already mentioned, I’d have to trust the IdP to be honest in how they authenticated the user).

By: Forsooth

Forsooth — Thu, 05 Oct 2006 07:41:35 +0000

Paul Madson wrote:

>There should/must be a way for the IDP to say how they authenticated the user – the SP might need this info in assessing the relevance of the IDP’s claim to its security requirements.

Why would it need this info? Who cares? It should be the user’s responsibility not to choose a crappy IdP, just like it should be the user’s responsibility to not post porn pix to the consuming site.

By: karl

karl — Thu, 05 Oct 2006 06:36:14 +0000

More trust is good in some cases and not in others. As in connecting too many dots together and we enter in a privacy issue because of the lost of opacity.

So I would be careful, Open ID is good, but I would encourage to have more than one depending on their online personae.

By: kveton

kveton — Thu, 05 Oct 2006 01:56:21 +0000

The possibilities are endless. The other thought on this would be to notify sites when you change the information at your IdP. So you update your email and instead of having to login to all of your sites your IdP actually sends a note saying “hey, we just updated this user’s email address”. This is a non-trivial thing to do because you have to really trust the IdP.

In the case that you mention; user hassling another user on a specific site. Odds are if they know their OpenID they can hassle them all day long no matter what site they are on. In that case, maybe a using an anonymizer would be a good thing.

By: Will Norris

Will Norris — Wed, 04 Oct 2006 23:27:15 +0000

Another use of simple registration is keeping your local copy of this data up to date… this is what we are trying to get our Shibboleth service providers to do. So a user may login and create an account with an email address X, but next week he changes his email address at his IdP to Y. If you receive his attributes each time he logs in to your application, you can check to see if you have the latest data and update if not.

Of course, there are cases when you might NOT want to update your local data… suppose a user is being hassled by another member in your community, so they change their contact information in your application. You wouldn’t necessarily want to change it right back the next time they log in, now would you? So you definitely need to think through everything, but it has the potential for providing real data provisioning.