[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [orms] Use Case - OpenID RP Reputation in Trusted Exchange
Hi Nate, > > I understand, and that makes sense. I agree that the RP's reputation is > very important for safeguarding user information that is sent. > > However, I think your view here is different from the common OpenID > view. That's mostly because they're worried about spam and less > important user data and applications. See, for example, this page. > You'll see that most people are concerned about the OP, and some are > concerned about both. > Yes. I noticed that fact by hearing many conversations in the past IIWs. I think that it is because credibility of OP is more important in most of currently existing use cases, such as social bookmarks and online albums. In those use cases, RPs are providing something valuable and should be protected. However, the balance of importance between OP an RP will switch when OP retains valuable data of users and has strong credibility, such as financial institutes or telecom carriers. We might not even need reputation for those organizations. NRI is a system integrator. Our perspective is closer to those organizations rather than Web2.0 service providers. But we understand their perspectives, too. > http://wiki.openid.net/Reputation > > For our use cases in R&E, the reputation of both is important. The > OP/IdP is trusted to send accurate information about real users, and > login users properly. The RP is expected to treat user data with > caution and not receive more information than they need. > This is the most important reason why we include contract negotiation processes in the TX. In our real use case, RPs(travel service providers) know that the OP(airline) is trustworthy because it is center of their business ecosystem. This model lowers barrier for RPs to join business community (because they don't have to manage customer information, payment and so forth. And they can reach mass of existing customers easily). And also this model encourage RPs to competing each other by evaluating reputation scores. So, the business community grows and evolves organically. >>> 2) How do providers decide which reputation service to use and >>> trust, since anyone can set one up? >>> >> >> We are expecting that reputation services or realm organizers are >> likely to be the same role as SSL certificate providers for web sites. >> The difference from SSL providers is that OP's credibility is built on >> OP's history of behavior and evaluation from many RPs. >> > > This makes sense, but it triggers another question. This becomes > relevant when you see my comments on #3. > > Can reputation services connect? In other major reputation systems > there is input from many different services. Think about credit > ratings: there are many ratings agencies, and each of them is fed with > information from many sources. > I don't think that source of data which calculates reputation score should be generated in a single reputation service. The sources should be mashed up if necessary. But our use case is still closed in a specific domain. If OP can evolve to some kinds of credit rating agencies, interconnection of all data sources and reputation results(which can be sources to other reputation services) is mandatory. But I still don't know how it happens. We haven't explored that far yet. I just hope that the output of this TC will facilitate the solution you are looking for. > > We have an additional constraint. There are forms of "reputation" for > OP's and RP's that only one entity could assert. For example, we want > to say that an OP/RP is a member of a particular group. That group > could imply many different and specific things that are useful for > trusting identity information; for example, "part of the University of > California System". > > I'd love to be able to pass back more information about other reputation > systems so that the main "SSL" style system could allow the OP/RP to > chase a reference to find out whether its partner is part of the > University of California, for example. > I think that this use case is a kind of *certified attributes* or whatever you name it. I am not sure this is in scope of reputation. My view of reputation data is something quantifiable and measurable objectively, so both human and machine can evaluate it. It is also dynamically re-calculated by inputs, so it changes frequently. To come up the distinctive and rigorous definition is a part of the TC work. Therefore, I leave this to the TC. Please consider this is my version. > I really appreciate the feedback and your hard work, > Nate. Thank you very much for valuable comments and inputs;-) Tatsuki
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]