Re: Proof of Concept: Identity Credentials Login from Manu Sporny on 2014-06-16 (public-webpayments@w3.org from June 2014)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Sun, 15 Jun 2014 22:07:17 -0400
To: public-webpayments@w3.org
Message-ID: <539E5155.6010809@digitalbazaar.com>

On 06/11/2014 06:03 PM, ☮ elf Pavlik ☮ wrote:
> I find it very impressing especially since you got running pushed to 
> a public repo - kudos++

Thanks :)

> First question coming to my mind:
> 
> "The way that both Mozilla Persona and OpenID do it is fairly 
> similar. OpenID assumes that your email address maps to your
> identity provider."
> 
> In my case, and I believe nowadays quite many other people, I control
> domain which I use for email address. With simple DNS configuration I
> use different 'providers' for my email server and my web server (here
> myself).

You are in the minority. The vast majority of people that use the Web do
not control their own domain.

> In this situation I find using webfinger[1] (also used by OpenID 
> Connect), more attractive then hiding from myself via 
> http://login-hub.com - even if His Holiness @Pontifex with His 
> Holiness @DalaiLama would run it very carefully together ;)

Why do you find it more attractive?

> I still need to take some time and wrap my head around your design 
> but maybe you could easily evaluate complexity of including
> webfinger based flow as an alternative option for those who may
> prefer such setup?

Yes, we've discussed having alternative mechanisms for looking up
identity providers. For example, we do this now:

1. Get email address + password from person that wants to login.
2. Query the Telehash network.

but we could do something like this in the future:

1. Get the email address from the person that wants to login.
2. If they don't provide a password, then do a WebFinger lookup.

or something like this:

1. Get an account identifier from the person that wants to login.
2. If the identifier starts with "~", assume that the identity lives on
   the Ripple network and query that network for the IdP information.

I'm sure you get the idea. We want to be able to find the identity
provider across IdP networks and support well deployed login solutions.
I don't think we'll be able to get away w/o providing some level of
interoperability w/ OpenID Connect. That said, the less technologies we
can pull into the solution, the better off we'll be.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Marathonic Dawn of Web Payments
http://manu.sporny.org/2014/dawn-of-web-payments/

Received on Monday, 16 June 2014 02:07:47 UTC