[sldev] OpenID & SSL certificates

[Matthew Dowd]

> Being that there's no clear requirement for this proposal, what does > OpenID provide that makes it a better option than doing nothing?
 
As regards the security issue OpenID doesn't offer much over doing nothing - you can apply the same hydrogen analogy as you used for cerificates, they just form part of the system.
 
The reason for using OpenID or a similar system is two fold:
 
i) they allow you to use the same id for accessing other web applications - this of course depends entirely on how widespread their use is elsewhere
 
ii) and for me this is the interesting one - identity brokering.
 
What this means is that the OpenID has associated various attributes (we'll leave out the technical details of where these are stored - there are numerous approaches from centralised to decentralised) such as whether you are over 18, your actual age, address, name etc.
 
You have control over which services can request which attributes. So LL may only be permitted to request the over 18 flag, whereas your web hosting company may be able to request your name and mobile number.
 
Various entities can sign and validate those attributes - e.g. your bank may verify your age and over 18 flag, your mobile phone company can verify your phone number.
 
This creates an online identity verification whereby the user has control over which information is revealed to which services, and provides verification of that information - whether LL believes you are over 18 depend on whether your bank is trusted by LL to verfy that information for instance (or whether LL can pass the liability buck onto said bank).
 
Matthew
_________________________________________________________________
100’s of Music vouchers to be won with MSN Music
https://www.musicmashup.co.uk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.secondlife.com/pipermail/sldev/attachments/20070930/2af4fdd2/attachment-0001.htm