RE: Account Management in Firefox 5 from Peter Williams on 2011-02-08 (public-xg-webid@w3.org from February 2011)

From: Peter Williams <home_pw@msn.com>
Date: Tue, 8 Feb 2011 10:07:12 -0800
To: "public-xg-webid@w3.org" <public-xg-webid@w3.org>
Message-ID: <SNT143-w5398570F8BB37A45E3AD9192EA0@phx.gbl>

[1] is very mature in its writing. Its obviously been worked on for a while, which is telling. Structurally, its an example of the SAML use case known as an SP affiliation, with account linking flow. In SP affiliations that a given "1SP" found itself able to relyon an assertion is sufficient for n-1 other 2SPs in the "affiliation" to also rely on the linked-name that the 1SP issues, bound to name claims from the IDP.
 
There are "pressures" on the SAML vendors to "remove" this flow from their products. Ive always supported it (mostly to ensure the flow choices were not biased, allowing for UCI-style public infrastructure to evolve, assuming anyone wanted it to).
 
The use case is a variation of one of the founding openid use cases, that none of the major IDPs actually support. It allows the user to bind several IDP names to the account at the primary 1SP, which then speaks its linked [account] name to n other 2SP sites. In the openid flow, the user can talk to the 2SP directly (without any intermediation), can talk to the 2SP through a 1SP' distinct from 1SP not prime (case of parallel intermediaries, for resilience), and can bind multiple IDP names even to a given 1SP (becuase thats the nature of work vs home life).
 
ITs also a rough anbalogue in Windows Cert land of binding one's cert/subject name to a NT account, using the cert mapping features of the IIS webserver. Sijnce that NT account is a UPN, and may be federated using active directory trust with other naming domains, when visiting a remote site the user with that client cert (used in client authn) may be known as local-X: introduced by remote-Y: mapped by cert: issued by self - where transitive keberos and one or more cert mappings being the handoff rules along that trust chain .
 
 
 
 
 

 
> Date: Tue, 8 Feb 2011 18:06:31 +0100
> From: ddooss@wp.pl
> To: public-xg-webid@w3.org
> Subject: Account Management in Firefox 5
> 
> An interesting idea is proposed by Mozilla. Maybe WebID can be one of 
> profiles in spec [1]. More about this idea is in [2].
> 
> [1] https://wiki.mozilla.org/Labs/Weave/Identity/Account_Manager/Spec/3
> [2] http://hacks.mozilla.org/2010/04/account-manager-coming-to-firefox/
> 
> Best,
> 
> Dominik 'domel' Tomaszuk
> 
>

Received on Tuesday, 8 February 2011 18:07:46 UTC