1. REFEDS. Rome, October 2009 The OpenID Case Why It’s Not a Bad Idea to Play with The Big Guys

2. REFEDS. Rome, October 2009 The OpenID Advent Simple to understand  You are your URL  Discovery is transparent Simple to extend  JSON-style mechanisms  Can allocate almost anything Embraced by (some of) The Big Guys  And some governments Well aligned with other protocols  Mostly, OAuth And that means opportunities for us

3. REFEDS. Rome, October 2009 The OpenID LoA OpenID-The-Current-Infrastructure  Accept an OpenID as long as it is backed by the basic protocol  Most OpenIDs coming from Internet services with (very) few enrolment requirements  Therefore, very low LoA on identity OpenID-The-Protocol  Supports (or does not forbid) additional checks  Restricting acceptance to well-behaved OPs An example: yo.rediris.es  Requires an identity in a SIR IdP  Equivalent LoA to any SAML AuthN assertion

4. REFEDS. Rome, October 2009 OpenID-The-Protocol SP checks for trusted IdP IdP checks for trusted SP Mutual authentication possible

5. REFEDS. Rome, October 2009 OpenIDs and NameIDs IdP discovery is an integral part of the OpenID protocol  OpenID v2 allows users to express non-unique IDs  yo.rediris.es -> http://yo.rediris.es/drlopez@rediris.eshttp://yo.rediris.es/drlopez@rediris.es Initial attributes can be forwarded as well  Push-model for IdP-asserted attributes OpenIDs are DNs/NameIDs/SubjectDNs/…  Once expanded and validated can be used as subject identifier in any further query  Aggregate attributes retrieved via OAuth SAML LDAP VOMS...

6. REFEDS. Rome, October 2009 CTX: Full-fledged OpenID

7. REFEDS. Rome, October 2009 CTX: Full-fledged OpenID

8. REFEDS. Rome, October 2009 The Identity Golden Rule Digital identities are more valuable as they are more widely assertable Adoption/use of OpenID is a wise move Policies (and technologies) to define  What makes an OP reliable  What makes an OpenID usable  How to express metadata related to OP An algebra for attributes and LoAs