<div dir="ltr"><div>In the OAuth space there are a bunch of companies/projects doing something that they term differently, but which sounds very similar to your use case.</div><div><br></div><div>An OAuth "aggregator" wants to pull together assertions about a particular user (call him Tom) from multiple 3rd parties, and then allow Tom to share those assertions with other users of the aggregator site, or share them to other 3rd party sites. The most well known examples are activity streams in OpenSocial, and personal health record stores like MS HealthVault & Google Health.</div>
<div><br></div><div>Some examples of assertions includes things like "Stanford says this user graduated with a Comp Sci degree from Stanford," or "World of Warcraft says this user's warrior on World of Warcraft is level 33," or "LabQuest says this user had lab test X with result Y."</div>
<div><br></div><div>In most of these scenarios, we are seeing that the downstream readers of an assertion are willing to trust the aggregator to specify the identity of the original asserter. That is not as cryptographically strong as the original source signing their assertion, however as people noted in this thread, it is certainly possible to add that feature. Though in some specialized cases the digital signatures can leak privacy details, and avoiding that requires even more advanced crypto techniques.</div>
<div><br></div><div>If you want to learn more, there are some comments about this type of assertion "gathering" in the following two documents about how OAuth is used, however they are targeted more at product managers/marketing types, and don't focus much on the technical details.</div>
<div><br></div><div><a href="https://sites.google.com/site/oauthgoog/oauth-practices">https://sites.google.com/site/oauthgoog/oauth-practices</a><br></div><div><br></div><div><a href="https://sites.google.com/site/oauthgoog/oauth-practices/user-interface">https://sites.google.com/site/oauthgoog/oauth-practices/user-interface</a><br>
</div><br>Eric Sachs<div>Product Manager, Google Security<br><div><br><div class="gmail_quote">On Tue, Sep 16, 2008 at 8:23 AM, SitG Admin <span dir="ltr"><<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="Ih2E3d">>Basically, I'd use my preferred OP and request the organization to<br>
>provide a signed attribute of my membership in org XYZ.<br>
<br>
</div>Interesting thought - signed by the organization? Perhaps an<br>
assertion of membership AND "here's what your organization gave us to<br>
remind them that you are a member", so the organization can recognize<br>
revoked membership signatures?<br>
<div class="Ih2E3d"><br>
>Of course, there will have to be a "trust relationship" between org XYZ<br>
>and my preferred OP, but I don't see that trust as any deeper than the<br>
>"trust relationship" between and RP and an OP.<br>
<br>
</div>If there were only a single OP in the world, it would even be the<br>
*same* trust relationship, and with one OP handling authentication<br>
for several organizations; just as one OP can handle authentication<br>
for more than a single organization now.<br>
<br>
But perhaps starting out as the OP for a small organization, at<br>
first, can be an opportunity for new developers to both assure<br>
themselves of OpenID's security and find gainful employment in<br>
connection to business startups?<br>
<br>
-Shade<br>
<div><div></div><div class="Wj3C7c">_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br></div></div></div>