[prev in list] [next in list] [prev in thread] [next in thread]
List: openid-user-experience
Subject: Re: [OpenID] FB Connect, OpenID and UX
From: "David Fuelling" <sappenin () gmail ! com>
Date: 2008-12-16 19:21:14
Message-ID: 51dae84d0812161121md808216ic92f2b7968638934 () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On Tue, Dec 16, 2008 at 4:41 PM, Johannes Ernst <jernst+openid.net@
netmesh.us> wrote:
> It's a bit more complicated than that. In many of those cases there is a
> requirement that some service (say the travel site, for argument's sake)
> cannot tell the difference whether it was the executive or the assistant who
> logged in. (Let's call it the vanity argument: executive is trying to
> pretend that she can be on top of all things at the same time)
>
> Also, the information that assistant is allowed to act on behalf of the
> executive should be centralized in one place (perhaps the corporate
> directory, for argument's sake), while relying parties should not have to be
> modified to allow for this delegation model or, see above, not even be able
> to tell.
>
> I'm thinking that some kind of chained identity might help ... where, say,
> assistant uses OpenID example.com/alice and executive uses example.com/bob,
> both of which can be used to authenticate into the account
> example.com/executive. That latter OpenID would then be used by either to
> log into the travel site.
>
>
Couldn't you use OAuth here, except instead of providing access to an
application, you're providing access to a piece of what a particular user
could use? After all, isn't OAuth about authorization?
[Attachment #5 (text/html)]
On Tue, Dec 16, 2008 at 4:41 PM, Johannes Ernst <span dir="ltr"><jernst+<a \
href="http://openid.net">openid.net</a>@<a \
href="http://netmesh.us">netmesh.us</a>></span> wrote:<br><div \
class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid \
rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> It's a bit \
more complicated than that. In many of those cases there is a requirement that some \
service (say the travel site, for argument's sake) cannot tell the difference \
whether it was the executive or the assistant who logged in. (Let's call it the \
vanity argument: executive is trying to pretend that she can be on top of all things \
at the same time)<br>
<br>
Also, the information that assistant is allowed to act on behalf of the executive \
should be centralized in one place (perhaps the corporate directory, for \
argument's sake), while relying parties should not have to be modified to allow \
for this delegation model or, see above, not even be able to tell.<br>
<br>
I'm thinking that some kind of chained identity might help ... where, say, \
assistant uses OpenID <a href="http://example.com/alice" \
target="_blank">example.com/alice</a> and executive uses <a \
href="http://example.com/bob" target="_blank">example.com/bob</a>, both of which can \
be used to authenticate into the account <a href="http://example.com/executive" \
target="_blank">example.com/executive</a>. That latter OpenID would then be used by \
either to log into the travel site.<div> <div></div><div \
class="Wj3C7c"><br></div></div></blockquote></div><br>Couldn't you use OAuth \
here, except instead of providing access to an application, you're providing \
access to a piece of what a particular user could use? After all, isn't \
OAuth about authorization? <br>
_______________________________________________
user-experience mailing list
user-experience@openid.net
http://openid.net/mailman/listinfo/user-experience
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic