[cas-dev] OpenID use case

Thu Sep 18 08:26:01 EDT 2008

Mr. Beutel:

I'm an independent consultant in NC and I've carried the one user, one
login torch for years.  I'm looking at creating authentication
interfacing like an electronic filter to support enterprise operations
and easy implementations.  And, CAS is probably the best "already in
use" product I've found.  And, OpenID intrigues me but I'm not sure
how to evangelize the use.  I can evangelize CAS and it sells itself.

Do you see a way to convince people to use it?  I asked Scott
Battaglia for any information that came out of the protocol phone
conference.  I am interested in anything that happens in relation to
OpenID and CAS.  Also, if use cases become clear and you need my help
please ask.  I would be interested in creating an authentication
module for CAS for OpenID.  And, maybe I'll just do it and send the
group a note.

It's fresh air to get your note about the use cases, especially when
I'm looking hard at OpenID.  It helps to know that I'm on the right
track.

Thanks,

David Whitehurst

On 9/18/08, J. David Beutel <jbeutel at hawaii.edu> wrote:
> OpenID use cases were mentioned in the minutes of last month's
> conference call:
> http://www.ja-sig.org/wiki/display/CAS/2008-08-15+Conference+Call
>
> I have a use case for CAS as an OpenID client (i.e., Relying Party).
> I'm developing a second-level CAS for multi-level authentication.  (I
> call it second-level because it first forces a username and password
> authentication on our regular CAS.)  It's protecting the user's bank
> account number, which the user can input and read later.  It uses secret
> questions and answers (a.k.a. challenge/response), like many bank and
> credit card web sites currently do.
>
> Some users might want to have stronger authentication for this.  Some
> OpenID providers offer free multi-factor authentication.  (Various
> non-free hardware can also provide multi-factor authentication via
> OpenID.)  The use case is to allow the user to configure an optional
> OpenID which my second-level CAS authenticates in addition to the basic
> questions and answers.  The user goes to their OpenID provider like a
> third level in the authentication chain.  CAS has no guarantee about the
> strength of that authentication, but it can be as strong as the user
> chooses to protect their own information.
>
> Here's one OpenID provider I tried today that offers free multi-factor
> authentication via a phone call, e.g., to a mobile phone:
>
> https://www.myopenid.com/about_callverifid
>
> Here's another OpenID provider that offers a different kind of
> authentication using images in the browser.  It's also free, although I
> haven't tried it yet.
>
> http://www.vidoop.com/products
>
> It looks like we could do the phone authentication directly, using
> http://www.phonefactor.com/ (as long as they continue providing it for
> free, at least).  However, OpenID would be better, because the user
> would have a choice.  For example, deaf users would have problems with
> the phone call, while blind users can't do the image authentication.
> Users with various authentication hardware, such as one-time-password
> tokens or biometric readers, would also have the choice of using their
> corresponding OpenID Provider.  I wouldn't need to add support to CAS
> for all these different types of authentication, just for OpenID.
>
> Although CAS currently can be an OpenID Provider, leveraging whatever
> authentication it already has, by adding support for CAS to be an OpenID
> Relying Party, it would leverage all the authentication on all the other
> OpenID Providers.  If it's an optional addition for the user, not an
> alternative to the regular authentication, then it's not a problem that
> CAS doesn't trust the OpenID Provider or know the strength of its
> authentication.
>
> Cheers,
> 11011011
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>