[Go-essp-tech] [ESG-CET] Whitelisting of IDPs

Rachana Ananthakrishnan ranantha at mcs.anl.gov
Thu Feb 17 09:34:05 MST 2011 

I sent this to Nate earlier, sharing with broader group: http://productblog.37signals.com/products/2011/01/well-be-retiring-our-support-of-openid-on-may-1.html.

Without any SLAs or federation agreements available, we need to be careful about allowing just about any OpenID IdP and think thought ramifications of support and impact of their changes.

Rachana

On Feb 17, 2011, at 10:27 AM, <philip.kershaw at stfc.ac.uk> <philip.kershaw at stfc.ac.uk> wrote:

> Hi Nate,
> 
> One thing to take into consideration is the requirement that OpenID
> Providers for use in the federation use HTTPS.  Defects in the OpenID spec
> make it insecure when run over a non-encrypted connection.  Given this, I
> think whitelisting has to stay in some form.
> 
> Cheers,
> Phil
> 
> 
> On 17/02/2011 15:44, "Nathan Wilhelmi" <wilhelmi at ucar.edu> wrote:
> 
>> Hi,
>> 
>> In released versions of the gateway (1.2.0 and earlier) there are some
>> technical reasons for whitelisting which IDPs user's could use. Version
>> 1.3 contains a significant OpenId overhaul which should remove the
>> technical needs for whitelisting IDPs. With version 1.3 if you come in
>> from an IDP and the required attributes are not sent via AX the user is
>> simply prompted for the needed attributes before continuing. So from the
>> user's perspective they should be able to come in from *pretty much* any
>> IDP. Internally we have been testing with myopenid.com successfully.
>> 
>> So we have a couple of options:
>> 
>> 1) Remove whitelisting all together. We can still have a 'where are you
>> from' list of potential IDPs, this doesn't preclude BADC's suggestion.
>> We also have some ideas on how we can do a 'forgot my OpenId' to help
>> users figure out where they might be from.
>> 2) Put whitelisting back in, although drive it from the registry service
>> rather than shipping XML files with releases.
>> 3) Put a registry driven blacklist in place. If we find a few IDPs cause
>> problems we can blacklist those and let users freely use other ones.
>> 
>> Thoughts as to what direction to head?
>> 
>> Thanks!
>> 
>> -Nate
>> _______________________________________________
>> GO-ESSP-TECH mailing list
>> GO-ESSP-TECH at ucar.edu
>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
> 
> -- 
> Scanned by iCritical.
> _______________________________________________
> ESG-CET mailing list
> ESG-CET at earthsystemgrid.org
> http://mailman.ucar.edu/mailman/listinfo/esg-cet

Rachana Ananthakrishnan
Argonne National Lab | University of Chicago

More information about the GO-ESSP-TECH mailing list