+1

Exactly group membership is an attribute and you may need to assert multiple ones at the same time.

I believe the SAML solution to the this is to use a sort of ephemeral for the subject of the assertion.

For openID the equivalent is not using a identifier at all. The same effect can also be acived with managed info-cards.

I think overloading the identifier with group meaning is a bad direction.

You could do it now, by allowing multiple people to assert the same openID but that would cause all sorts of problems for RP's not understanding the difference.

Keeping it identity-less also allows the assertion to come from a 3rd party.

The group may be the only one that can say I belong to it. They may have the openID's of there members and make membership assertions on there behalf without being a full IDP. That could be done with AX or oAuth for transferring the attributes.

John Bradley
On 14-May-09, at 12:17 AM, Andrew Arnott wrote:

If an RP only needs group membership and no individual identity, then why assert an identifier at all? Use OAuth or identity-less OpenID. I think it would seriously cloud OpenID's Identifiers if an AX attribute that may or may not be noticed or included significantly changes what the identifier's significant meaning is.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre


On Wed, May 13, 2009 at 8:36 PM, SitG Admin <sysad...@shadowsinthegarden.com > wrote:
Attributes like group membership belong in AX, not in the identifier.

I suspect the idea is to have a pseudonymous identifier that discloses nothing about the person using it other than the fact that they can assert the same ID each time they return to prevent correlation.

To further prevent correlation, the OP may wish to support users in authenticating as members of a group - *in such a way* that individual users cannot be distinguished from one another. If not for that, RP's could correlate information over time, establishing theoretical profiles of the users.

I think one compromise could be to use a traditional identifier, and then use AX to signal to the RP that the OP might vouch for more than one individual having that URI.

-Shade

_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Reply via email to