Refeds


Subject RE: comments on eduID
From "Scott Cantor" <cantor.2@xxxxxxx>
Date Wed, 21 Oct 2009 12:15:41 -0400

Peter Schober wrote on 2009-10-21:
> * Nicole Harris <n.harris@xxxxxxxxxx> [2009-10-21 13:03]:
>> I think what we are trying to get to is what do we say in the
>> "foo.com" label, when we don't have a foo ;-)
> 
> I may have to re-read that google UI paper (it's been a while) but
> sticking with this example: Wouldn't foo.com be a local account at the
> SP you're accessing? So wouldn't foo.com be necessarily different for
> every publisher/SP/RP?

Right. google.com in this case is the *local* credential, not the "other"
option. What we have to fight in the broader world (and yes, this is going
to be a fight) is the perception that the best way to represent federated
choices is by the logos of the providers of those choices, because that's
where google, yahoo, et al have a monopoly on screen real estate.

Or we can decide to be attribute providers and give up on the idea that
users will want/need to use enterprise credentials from us in order to
access services outside of the core academic mission. In other words, you
might use them for Elsevier, but not for personal- or consumer-oriented
activity.

I'm not taking a strong position on that question, but I do think we have to
be brutally honest about our aspirations to understand what the "scope" of
this discussion ought to be.

The other point is whether the ability to break out of that logo-oriented
model that biases against us is going to require a client change (i.e. a
plugin), be it Infocard or otherwise, and whether we think that's viable in
an interesting time horizon (i.e. not just in 20 years).

> * Doesn't this plainly
>   contradict the conventional wisdom what users will gladly enter their
>   credentials anywhere if there's a form field for that?

That's true, but give google credit for at least not showing it asking for
your *password*. It's biased in favor of an SP that you'll divulge your
identity to (via email address) but doesn't directly phish you.

Of course, they would have to implement additional checks to prevent it
prompting you for a password if it doesn't recognize your username, but I
suppose the argument is that just about anything a campus ID might be could
be a google account name too. Obviously, that's considerably less likely if
a site has a much smaller account store.

-- Scott