[Systers-dev] Considering LDAP and OpenID

Robin Jeffries robin at jeffries.org
Wed May 27 21:23:59 PDT 2009 

If I were to guess, there are probably no more than 100 of the 3000 systers
who have any experience with OpenID/have an openID identifier. I think that
has two important implications   - this has to be easy for people to
use/figure out with no previous experience (but we do assume/believe that
all systers have some computational experience, though I do find it doesn't
always extend outside of their specific area of expertise -- we all
sometimes turn off our "computational brain" when we go home and relax.  I
would hate for women to feel locked out of systers or the systers wiki,
because they couldn't make sense of the access method.
   - if we meet the first requirement, we should be thinking several years
down the road (always a tricky thing to do), to understand how openid or
openldap will be used then.  What if you used one of them for half the sites
you access? Would that be good or bad?  Do you think most people will rely
on one provider, or a different provider for different parts of your life?
 (I have a great fear of someone using our openid relying authority to
access their bank account -- I'm not sure we can guarantee that level of
protection, given our resources).  Will they even understand what to look
for in a relying authority (and how would we educate new members?).

Robin

On Wed, May 27, 2009 at 3:19 PM, Jennifer Redman <jenred at gmail.com> wrote:

> Malveeka Tewari is our student leading the Systers GSoC authentication
> project.  One aspect of the project involves determining if we want to use
> LDAP or OpenID (or both) as authentication mechanisms.
> To provide a little bit of background, Mailman currently uses pickle files
> (
> http://docs.python.org/library/pickle.html) to store user data.  With our
> mailman extensions (particularly the dynamic sublist functionality - the
> ability to subscribe and unsubscribe from conversations), we use a mix of
> default pickle files and a PostgreSQL db to handle the dlist functionality.
>
> Our first step is going to be to extract all the user data from the pickle
> files into a SQL Member Adaptor to allow for storage in any sql db, and
> then
> use that data for either LDAP or OpenID authentication or maybe both.
>
> Malveeka came up with some great questions regarding LDAP and OpenID
> functionality, she sent them to me previously - but I think they are worthy
> of discussion amongst Systers' end-users.
>
> Here are her questions (I'm going to add that we are looking at Mediawiki
> as
> the first application against which we would like to authenticate):
>
> This site provides a comprehensive summary of how openID works:
>
>
> http://framework.zend.com/manual/en/zend.openid.html#zend.openid.introduction.how
>
> With OpenID, there are two important parties: the OpenID Provider and
> OpenID
> relying party.
> Relying party The site that wants to verify the end-user's identifier.
> Sometimes also called a "service provider".
> Server or server-agent The server that verifies the end-user's identifier.
> This may be the end-user's own server (such as their blog), or a server
> operated by an identity provider.
> As I understand we want to implement an OpenID server as we want our users
> to authenticate using mailman and acess other sites.
>
> I am not sure if we want to implement an OpenID relying party for Systers.
> Allowing OpenID relying on Systers might mean users can authenticate with
> other OpenID providers and access Systers site without having a systers
> account. Maybe we want to allow this feature for gaining visibility or may
> be this is not desired, I am not sure. (Also, we can implement added
> verification on Systers to make sure we allow access to only valid Systers
> members) I need your opinion on this.
>
> I will certainly want to implement LDAP enabled access but as I said I
> would
> personally want to begin with the OpenID implementation. However, there
> might be reasons to take up the openLDAP approach over OpenID. Here again,
> I
> need feedback from you . For deciding which approach is better, I think we
> need to understand
>
> What kind of users are we targetting?
> ( What users need to do extra in each implementation (LDAP and OpenID) for
> them to access other sites. For eg. in the OpenID implementation, they
> would
> need to create their openID identifier. OpenLDAP will not require much user
> intervention but will be more complex to implement )
>
> What kind of applications/sites do we wish to extend Systers authentication
> support to?
> ( One disadvantage of OpenID is that the applications we can access with
> the
> OPenID identifier need to be openID enabled as well. However, increasingly
> lot of applications/sites are becoming openID enabled.
> http://openid.net/where/ They say thereare nearly 10,000 sites that
> supposrt
> openID but these may not be the applications/sites we are actually
> interested in)
>
> Security concerns?
> (openID is less secure than openLDAP)
>
> ### End Malveeka's questions ###
>
>
> Does anyone feel particularly strongly about using OpenID vs LDAP?   My
> inclination is that you would need a Systers provided OpenID since we don't
> want to open up access to anyone with an OpenID.
>
> Thanks,
> Jen
>
>
> To unsubscribe from this conversation, send email to <
> systers-dev+authenticatio+unsubscribe at systers.org<systers-dev%2Bauthenticatio%2Bunsubscribe at systers.org>>
> or visit <
> http://systers.org/mailman/options/systers-dev?override=9&preference=0>
> To contribute to this conversation, use your mailer's reply-all or
> reply-group command or send your message to
> systers-dev+authenticatio at systers.org<systers-dev%2Bauthenticatio at systers.org>
> To start a new conversation, send email to <systers-dev+new at systers.org<systers-dev%2Bnew at systers.org>
> >
> To unsubscribe entirely from systers-dev, send email to <
> systers-dev-request at systers.org> with subject unsubscribe.
>

More information about the Systers-dev mailing list