Re: Social Web XG Extra Meeting Wed. Oct 6th (12:00 Boston/16:00 London) - Wrapping up Final Report Take 2

On Thu, Oct 7, 2010 at 2:07 PM, Kaliya <kaliya@mac.com> wrote:
>
> On Oct 7, 2010, at 12:55 PM, Harry Halpin wrote:
>
>> Top-posting just to summarize:
>>
>> We separate profile providers (that provide attributes) from identity
>> providers (that authenticate the identity of the person). Since saying
>> "an identity provider is a service that *may* authenticate and *may*
>> provide attributes" is a bit too vague, could we just say
>>
>> "An identity provider is a service that authenticates a person to a
>> third-party."
>>
>> "A profile provider is a service that makes claims about a user by
>> providing attributes to a third-party."
>>
>> And then note
>>
>> "Many, but not all, identity providers (Infocards, OpenID 2.0
>> providers) make claims by providing attributes and so also function as
>> profile providers in some sense."
>>
>
> Infocards are not an identity provider.
> Thy are an identity selector tool & protocol.

We call "identity selector" -> "profile provider", which is where we
put attribute (claims). So we can phrase it more strongly:

"Many technologies like Infocards and OpenID (particularly with
Attribute Exchange) make claims by providing attributes  and so are
profile providers, and this may be bound with particular identity
providers. Often these technologies are called "identity selectors" as
they select amongst possible multiple profiles, each of which could
correspond to a personae. Attributes can be very simple identifiers,
like an OpenID URL, while they could also make a claim without
revealing an identifier."

>
> The basic architecture supports the user choosing claims to a relying party
> website via the metaphor of "cards".
>
> The IMI (Identity Metasystem Interoperability) protocol at OASIS is where
> this is defined.
>
> InfoCards support the user making claims including "I am this particular
> user who visited this site last time and this is my identifier" but also
> supports making claims like "I am over 18" without reveling a date or
> particular identifiers.

Yes, this kind of approach is great, and we just try to separate the
mechanics of the authentication of the claims (which we call identity
provider) and the data-formats used to deliver the claims themselves
(which we called the profile of the identity). Obviously OpenID 2.0
does both (with AX and making a claim about an OpenID URL, also a
claim) as do Infocard-enabled active clients.
What we are trying to deal with is the fact that many of these
approaches are interoperable and some of them say nothing about other
authentication.

This is exactly the kind of feedback we need! thanks!

>
> OpenID is about an identifier (URL) that the user authenticates against and
> my with AX (attribute exchange) also pass profile information.
>
>
>> That I think covers all the bases. Whaddya think?
>>
>>   cheers,
>>        harry
>>
>>
>>
>>
>> On Thu, Oct 7, 2010 at 9:30 AM, Kaliya <kaliya@mac.com> wrote:
>>>
>>> On Oct 7, 2010, at 8:02 AM, Harry Halpin wrote:
>>>
>>>> On Thu, Oct 7, 2010 at 8:00 AM, Dick Hardt <dick.hardt@gmail.com> wrote:
>>>>>
>>>>> Defining an identity provider to authenticate the user limits
>>>>>
>>>>>
>>>>> On 2010-10-06, at 9:24 AM, Harry Halpin wrote:
>>>>>>
>>>>>>
>>>>>> A identity provider is a service (e.g. an OpenID identity provider)
>>>>>> that authenticates a person and provides a set of attributes about a
>>>>>> person to a third-party.
>>>>>>
>>>>>> Note that add of *authenticates* and being explicit about a
>>>>>> third-party. That OK?
>>>>>>
>>>>>
>>>>> Saw this phrase and potentially jumping in out of context.
>>>>>
>>>>> Requiring the IdP to authenticate the user restricts a class of IdP's
>>>>> that may be making only a claim about the user, but not authenticating
>>>>> them.
>>>>
>>>> How about  "may" authenticate? Then we cover both bases.
>>>>
>>>> We focus mostly on authentication, keeping attributes and claims kinda
>>>> under the "profile" term, but yes, good point.
>>>
>>> Not all authentications move attributes.
>>>
>>>>
>>>>>
>>>>> -- Dick
>>>>
>>>
>>>
>
>

Received on Thursday, 7 October 2010 12:30:33 UTC