Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Dotnet 4.5
15 views
Skip to first unread message
Peter Williams
Jun 1, 2012, 9:00:27 PM6/1/12
to dev-id...@lists.mozilla.org
Hopefully folks agree that I am on topic. If not, why not?
How does one make browserid real world (and fit the needs of legacy code)?
Yesterday dotnet4.5 was released - featuring commodity websso support. Sso is now officially commodity (be it the 1 billion folks with verified by visa Sso, or the webby Sso that Hallam baker started up, nearly 15 years ago (and that only now, just, "made it")).
With free use developer tools , it's now trivial to build a website that features websso handlers - including those that do Openid protocol, ws-fedp, and saml2 (indirectly). Things like wizards for fashioning the interceptors and event handlers come for free. Things like java script to have users pick a Idp (from a bunch cloud hosted) comes too. It's likely browserid will get thrown in too, give it a few months.
Now, some enterprising folks should be even now deploying a gateway service- enabling such sites to connect up (using one of those last-mile "hidden" protocols - that just offload browserid assertion processing code to a (public, saas) browserid-gateway site. On general it's now quite normal for websso to be several hops, as claims get translated by one or more sites to more closely fit what the ultimate webapp (probably with legacy authz rules) needs.
After all, to adopt browserid should not be about only building new apps, or doing major refit of an old one. It should be as easy as adopting any of the other asserting protocols.
As an sp site (cloud vendor running realty mls/membership saas services) we leave it to users to pick between browserid, or the Openid built into their Wordpress or blogger blogspot. Letting our customers then require that certain resources on the site (perhaps being an admin) must be browserid or better... is also "expected". This is just authentication "step up".
Sent from my iPhone
How does one make browserid real world (and fit the needs of legacy code)?
Yesterday dotnet4.5 was released - featuring commodity websso support. Sso is now officially commodity (be it the 1 billion folks with verified by visa Sso, or the webby Sso that Hallam baker started up, nearly 15 years ago (and that only now, just, "made it")).
With free use developer tools , it's now trivial to build a website that features websso handlers - including those that do Openid protocol, ws-fedp, and saml2 (indirectly). Things like wizards for fashioning the interceptors and event handlers come for free. Things like java script to have users pick a Idp (from a bunch cloud hosted) comes too. It's likely browserid will get thrown in too, give it a few months.
Now, some enterprising folks should be even now deploying a gateway service- enabling such sites to connect up (using one of those last-mile "hidden" protocols - that just offload browserid assertion processing code to a (public, saas) browserid-gateway site. On general it's now quite normal for websso to be several hops, as claims get translated by one or more sites to more closely fit what the ultimate webapp (probably with legacy authz rules) needs.
After all, to adopt browserid should not be about only building new apps, or doing major refit of an old one. It should be as easy as adopting any of the other asserting protocols.
As an sp site (cloud vendor running realty mls/membership saas services) we leave it to users to pick between browserid, or the Openid built into their Wordpress or blogger blogspot. Letting our customers then require that certain resources on the site (perhaps being an admin) must be browserid or better... is also "expected". This is just authentication "step up".
Sent from my iPhone
Peter Williams
Jun 1, 2012, 10:40:37 PM6/1/12
to Peter Williams, dev-id...@lists.mozilla.org
Now one thing I didnt mention was a privacy phenomenon, almost unique to websso. It comes with commoditization - much like the girlfriend/wife comes with the mother in law (or vice Versa).
If one looks at twitter, say, they collect tracking info on you. What is not quite do clear (though the firm is trying hard to educate) is that the collection grid includes all those places you visit that happen to have (merely) a twitter button. Whether u use it or not, u are now bought into the twitter collection space - since the site you visited agreed to purvey such info (and disclose such in its own policy to you such .... Concerning it's own tracking policies and who in its business network also "gets access")
All very American Internet (where your privacy rights are basically not worth having . . . But at least you get something for giving it all up: lots of otherwise Free sites).
Now the question in my mind is: will the browserid "login button" go the same way... As the twitter button on a few hundred million "partners"?
Or is the persona brand about staking out a "non commercial" privacy/tracking space within the websso world?
> _______________________________________________
> dev-identity mailing list
> dev-id...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-identity
If one looks at twitter, say, they collect tracking info on you. What is not quite do clear (though the firm is trying hard to educate) is that the collection grid includes all those places you visit that happen to have (merely) a twitter button. Whether u use it or not, u are now bought into the twitter collection space - since the site you visited agreed to purvey such info (and disclose such in its own policy to you such .... Concerning it's own tracking policies and who in its business network also "gets access")
All very American Internet (where your privacy rights are basically not worth having . . . But at least you get something for giving it all up: lots of otherwise Free sites).
Now the question in my mind is: will the browserid "login button" go the same way... As the twitter button on a few hundred million "partners"?
Or is the persona brand about staking out a "non commercial" privacy/tracking space within the websso world?
> dev-identity mailing list
> dev-id...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-identity
Daniel Mills
Jun 2, 2012, 7:45:11 AM6/2/12
to Peter Williams, dev-id...@lists.mozilla.org
Our protocol is designed to limit precisely that kind of tracking.
Our web-based shim/popup is not used to track users in this way, either. This is our privacy policy:
https://browserid.org/privacy
Dan
Our web-based shim/popup is not used to track users in this way, either. This is our privacy policy:
https://browserid.org/privacy
Dan
0 new messages