[cas-dev] OpenID use case
J. David Beutel
jbeutel at hawaii.edu
Thu Sep 18 14:29:21 EDT 2008
I'm looking forward to meeting everyone in Madison! I didn't try to
join this morning's call, though, because it was at 4:30 am HST. (I
don't think I would have had anything more to contribute, anyway.)
Cheers,
11011011
Scott Battaglia wrote:
> Just an FYI, anyone is free to join the call (just get the info from
> Ben) and we always publish more minutes. A lot of the final decisions
> about architecture and protocol will be made in Madison, WI when we're
> all in front of a whiteboard. If you're not attending the
> UnConference but want to be included in some of the talks either via
> video conference or conference call let us know so we can make
> appropriate arrangements.
>
> -Scott
>
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
>
> On Thu, Sep 18, 2008 at 8:26 AM, David Whitehurst
> <dlwhitehurst at gmail.com <mailto:dlwhitehurst at gmail.com>> wrote:
>
> Mr. Beutel:
>
> I'm an independent consultant in NC and I've carried the one user, one
> login torch for years. I'm looking at creating authentication
> interfacing like an electronic filter to support enterprise operations
> and easy implementations. And, CAS is probably the best "already in
> use" product I've found. And, OpenID intrigues me but I'm not sure
> how to evangelize the use. I can evangelize CAS and it sells itself.
>
> Do you see a way to convince people to use it? I asked Scott
> Battaglia for any information that came out of the protocol phone
> conference. I am interested in anything that happens in relation to
> OpenID and CAS. Also, if use cases become clear and you need my help
> please ask. I would be interested in creating an authentication
> module for CAS for OpenID. And, maybe I'll just do it and send the
> group a note.
>
> It's fresh air to get your note about the use cases, especially when
> I'm looking hard at OpenID. It helps to know that I'm on the right
> track.
>
> Thanks,
>
> David Whitehurst
>
> On 9/18/08, J. David Beutel <jbeutel at hawaii.edu
> <mailto:jbeutel at hawaii.edu>> wrote:
> > OpenID use cases were mentioned in the minutes of last month's
> > conference call:
> > http://www.ja-sig.org/wiki/display/CAS/2008-08-15+Conference+Call
> >
> > I have a use case for CAS as an OpenID client (i.e., Relying Party).
> > I'm developing a second-level CAS for multi-level
> authentication. (I
> > call it second-level because it first forces a username and password
> > authentication on our regular CAS.) It's protecting the user's bank
> > account number, which the user can input and read later. It
> uses secret
> > questions and answers (a.k.a. challenge/response), like many
> bank and
> > credit card web sites currently do.
> >
> > Some users might want to have stronger authentication for this.
> Some
> > OpenID providers offer free multi-factor authentication. (Various
> > non-free hardware can also provide multi-factor authentication via
> > OpenID.) The use case is to allow the user to configure an optional
> > OpenID which my second-level CAS authenticates in addition to
> the basic
> > questions and answers. The user goes to their OpenID provider
> like a
> > third level in the authentication chain. CAS has no guarantee
> about the
> > strength of that authentication, but it can be as strong as the user
> > chooses to protect their own information.
> >
> > Here's one OpenID provider I tried today that offers free
> multi-factor
> > authentication via a phone call, e.g., to a mobile phone:
> >
> > https://www.myopenid.com/about_callverifid
> >
> > Here's another OpenID provider that offers a different kind of
> > authentication using images in the browser. It's also free,
> although I
> > haven't tried it yet.
> >
> > http://www.vidoop.com/products
> >
> > It looks like we could do the phone authentication directly, using
> > http://www.phonefactor.com/ (as long as they continue providing
> it for
> > free, at least). However, OpenID would be better, because the user
> > would have a choice. For example, deaf users would have
> problems with
> > the phone call, while blind users can't do the image authentication.
> > Users with various authentication hardware, such as
> one-time-password
> > tokens or biometric readers, would also have the choice of using
> their
> > corresponding OpenID Provider. I wouldn't need to add support
> to CAS
> > for all these different types of authentication, just for OpenID.
> >
> > Although CAS currently can be an OpenID Provider, leveraging
> whatever
> > authentication it already has, by adding support for CAS to be
> an OpenID
> > Relying Party, it would leverage all the authentication on all
> the other
> > OpenID Providers. If it's an optional addition for the user, not an
> > alternative to the regular authentication, then it's not a
> problem that
> > CAS doesn't trust the OpenID Provider or know the strength of its
> > authentication.
> >
> > Cheers,
> > 11011011
> > _______________________________________________
> > cas-dev mailing list
> > cas-dev at tp.its.yale.edu <mailto:cas-dev at tp.its.yale.edu>
> > http://tp.its.yale.edu/mailman/listinfo/cas-dev
> >
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu <mailto:cas-dev at tp.its.yale.edu>
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
More information about the cas-dev
mailing list