Refeds


Subject Re: comments on eduID
From Peter Schober <peter.schober@xxxxxxxxxxxx>
Date Wed, 21 Oct 2009 13:31:12 +0200

* Nicole Harris <n.harris@xxxxxxxxxx> [2009-10-21 13:03]:
> I think what we are trying to get to is what do we say in the
> "foo.com" label, when we don't have a foo ;-)

I may have to re-read that google UI paper (it's been a while) but
sticking with this example: Wouldn't foo.com be a local account at the
SP you're accessing? So wouldn't foo.com be necessarily different for
every publisher/SP/RP?

But IMO these suggestions by Google assume (which will certaily be
right for the Googles and Amazons of the world, but may not be right
for every federated SP on the planet):

* Local accounts at the SP/RP are available in the first place
* Local accounts are used by the majority of accessing users
  (otherwise why bother all users with this)?
* Doesn't this plainly contradict the conventional wisdom what users
  will gladly enter their credentials anywhere if there's a form field
  for that? That's the reason we usually make local authenticaion less
  prominent (i.e. if the application can show one mode of
  authentication first, and "need more choices/help" later, defer the
  local authentication until last).

In other words this may be adequate if you're only offering federated
authentication as an afterthought or a fallback mechanism, not as the
main (or only) means of login.
-peter