OpenID-style Group Proposal
robla at robla.net
Sun Jul 30 07:49:14 UTC 2006
I mainly just lurk here, and I'll probably go back to lurking, but I had
a notion that I wanted to throw out there in case it interests anyone.
My apologies if I'm going over well-covered territory. I'll call it
"GroupID" as shorthand.
The OpenID concept of allowing someone to simply assert "I own this
URL" (and no more) is very powerful. It would be interesting to take
that same approach to creating federated group memberships.
I'll describe a use case, and work backward from there. Let's say that
I want to grant everyone who has gained Sysop status on MediaWiki sysop
status on my own wiki. Let's assume that Wikipedia fully implements
OpenID (realizing, of course, this is won't happen for a little while).
If (and only if) the user actually asserts a Wikipedia URL, combined
with regexp matching, would you even have a way of knowing that a user
has a valid account. You still have no good way of knowing if that
account has sysop status.
The GroupID concept would be that a site supporting OpenID could extend
it by publishing a URL as a GroupID url. So, they could publish a URL
(e.g. http;//en.wikipedia.org/groupid/sysops ) which they say "we will
verify your assertion that your OpenID is a member of the group
identified at that URL".
Now, even if I don't want to use my Wikipedia user account URL, I can
assert "I own http://robla.net , and I'm a sysop on Wikipedia, which can
be verified at http://en.wikipedia.org/groupid/sysops". Since, under my
fantasy scenario, Wikipedia is already letting me log in using my
http://robla.net OpenID, the association between http://robla.net and
Wikipedia user "RobLa" is already made. The fact that the user id and
the group id are two different domains operated by two different parties
is what makes this kinda cool.
What would happen under the hood would be a handshake very similar to
the OpenID handshake. A normal OpenID handshake would happen first
against http://robla.net. Then, the assertion would be checked against
the GroupID. The GroupID server would also be an OpenID consumer,
authenticating http://robla.net before validating the assertion that
user http://robla.net is a member of
http://en.wikipedia.org/groupid/sysops . An OpenID handshake between
the consumers would probably be necessary.
In the user interface for my custom MediaWiki install, all that would be
necessary would be for me to say "I want to grant everyone in the
http://en.wikipedia.org/groupid/sysops group sysop status on my own
That's just one example. Another use case would be for one party to
have a vetting service, e.g. "show me two forms of ID and sign this
agreement that you will abide by this code of ethics, and I will verify
you've done this by verifying your OpenID is a member of
Anyway, just a wishlist feature for down the road when someone is bored.
Once again, apologies if this idea is old news.
More information about the yadis