On Mar 24, 2006, at 12:26, RL 'Bob' Morgan wrote:
And, forgive my ignorance, aren't OpenID and LID agnostic about the actual means of authentication performed between the authentication service and the user agent?
Yep.
So if someone deploys it using form-based authentication, or taking advantage of some existing form-based authentication, then that would require UI, and would make the system fail to work for non-UI user agents, would it not? You can say: well, then don't deploy it that way, use Basic or something; but telling people not to use stuff they like to use isn't a winning strategy usually.
No. The question is 'which is the endpoint that you are authenticating?' If, for example, the endpoint is your/on your local PC (instead of a Yadis URL out in the cloud, accessible only through a browser), you might not need to authenticate again because you already did when you logged into your computer.
Which of course brings up the issue of "identity chaining" or whatever we'd call it, which surprisingly, has been largely absent from this list so far: the use of one identity/persona/whatever to authenticate against another identity/persona/whatever and so forth, which then becomes the only thing a Relying Party sees; something the LID protocol has been able to do for a long while, and that turns out to be quite handy ... e.g. in order to log on only once at a single service, but still use a number of separate identities/identifiers/ personas/whatever hosted by a variety of service providers. I don't think anybody has implemented the same thing for OpenID so far, but I can't think of a reason it can't be done either without any protocol extensions.
It could be useful to look at standard ways to accomodate GUI and non-GUI user agents each with appropriate methods with the same installations. Or perhaps YADIS does this.
This turned out to be a beneficial side-effect of Yadis that we did not even plan on. Funny, how technology sometimes does that: instead of using Yadis 'just" for identity URL discovery, one can also use it for Relying Party discovery, and the discovery of which authentication protocols a Relying Party supports. (Usually we rely on the user to do that discovery by looking at an HTML page where it says "you need to have a username and password to authenticate here" or "SXIP in" or whatever it says). So Yadis also gives us a "marker" for non-GUI-based User Agents for which auth methods are accepted here.
_______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
