[cas-dev] OpenID use case

Scott Battaglia scott.battaglia at gmail.com
Thu Sep 18 09:56:25 EDT 2008 

Just an FYI, anyone is free to join the call (just get the info from Ben)
and we always publish more minutes. A lot of the final decisions about
architecture and protocol will be made in Madison, WI when we're all in
front of a whiteboard.  If you're not attending the UnConference but want to
be included in some of the talks either via video conference or conference
call let us know so we can make appropriate arrangements.

-Scott

-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia


On Thu, Sep 18, 2008 at 8:26 AM, David Whitehurst <dlwhitehurst at gmail.com>wrote:

> Mr. Beutel:
>
> I'm an independent consultant in NC and I've carried the one user, one
> login torch for years.  I'm looking at creating authentication
> interfacing like an electronic filter to support enterprise operations
> and easy implementations.  And, CAS is probably the best "already in
> use" product I've found.  And, OpenID intrigues me but I'm not sure
> how to evangelize the use.  I can evangelize CAS and it sells itself.
>
> Do you see a way to convince people to use it?  I asked Scott
> Battaglia for any information that came out of the protocol phone
> conference.  I am interested in anything that happens in relation to
> OpenID and CAS.  Also, if use cases become clear and you need my help
> please ask.  I would be interested in creating an authentication
> module for CAS for OpenID.  And, maybe I'll just do it and send the
> group a note.
>
> It's fresh air to get your note about the use cases, especially when
> I'm looking hard at OpenID.  It helps to know that I'm on the right
> track.
>
> Thanks,
>
> David Whitehurst
>
> On 9/18/08, J. David Beutel <jbeutel at hawaii.edu> wrote:
> > OpenID use cases were mentioned in the minutes of last month's
> > conference call:
> > http://www.ja-sig.org/wiki/display/CAS/2008-08-15+Conference+Call
> >
> > I have a use case for CAS as an OpenID client (i.e., Relying Party).
> > I'm developing a second-level CAS for multi-level authentication.  (I
> > call it second-level because it first forces a username and password
> > authentication on our regular CAS.)  It's protecting the user's bank
> > account number, which the user can input and read later.  It uses secret
> > questions and answers (a.k.a. challenge/response), like many bank and
> > credit card web sites currently do.
> >
> > Some users might want to have stronger authentication for this.  Some
> > OpenID providers offer free multi-factor authentication.  (Various
> > non-free hardware can also provide multi-factor authentication via
> > OpenID.)  The use case is to allow the user to configure an optional
> > OpenID which my second-level CAS authenticates in addition to the basic
> > questions and answers.  The user goes to their OpenID provider like a
> > third level in the authentication chain.  CAS has no guarantee about the
> > strength of that authentication, but it can be as strong as the user
> > chooses to protect their own information.
> >
> > Here's one OpenID provider I tried today that offers free multi-factor
> > authentication via a phone call, e.g., to a mobile phone:
> >
> > https://www.myopenid.com/about_callverifid
> >
> > Here's another OpenID provider that offers a different kind of
> > authentication using images in the browser.  It's also free, although I
> > haven't tried it yet.
> >
> > http://www.vidoop.com/products
> >
> > It looks like we could do the phone authentication directly, using
> > http://www.phonefactor.com/ (as long as they continue providing it for
> > free, at least).  However, OpenID would be better, because the user
> > would have a choice.  For example, deaf users would have problems with
> > the phone call, while blind users can't do the image authentication.
> > Users with various authentication hardware, such as one-time-password
> > tokens or biometric readers, would also have the choice of using their
> > corresponding OpenID Provider.  I wouldn't need to add support to CAS
> > for all these different types of authentication, just for OpenID.
> >
> > Although CAS currently can be an OpenID Provider, leveraging whatever
> > authentication it already has, by adding support for CAS to be an OpenID
> > Relying Party, it would leverage all the authentication on all the other
> > OpenID Providers.  If it's an optional addition for the user, not an
> > alternative to the regular authentication, then it's not a problem that
> > CAS doesn't trust the OpenID Provider or know the strength of its
> > authentication.
> >
> > Cheers,
> > 11011011
> > _______________________________________________
> > cas-dev mailing list
> > cas-dev at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas-dev
> >
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20080918/f160bb71/attachment.html

More information about the cas-dev mailing list