[Auth]delurking with opinions

[Kurt L. Sussman]

I've been following along for a while now, and I see some great ideas
here. I'm looking forward to writing a little code (or maybe test plans
and tools?), but as a user, I have some issues with what's being
proposed.

First, I don't want to be tied to any browser. I use Mozilla, Konqueror,
and Netscape on my main desktop and notebook, and Netscape and IE on my
test systems. I also use wget and lynx where they're appropriate. I
don't want to be tied to one computer or one browser. Yes, I spend money
at web sites through the closest computer. And I believe that nerds like
me will be the early adopters of any open authentication service. 

Second, I think the kiosk question has to be considered from the
beginning. I don't often travel without my notebook, but if I'm going to
go to Paris for a week or two this fall, my wife will probably make sure
I forget to take it. I'll still need to make sure my servers are up, and
if a disk fails I'll need to order replacement parts ASAP. This is not a
hypothetical example; this has happened more than once. That was Hawaii,
not Paris. #:)

Third (and last, for now), I want to restrict the information based on
the site it's going to. I don't want to give buy.com my real email, I'll
give them on at spamgourmet.com. But I don't mind if my bank or
brokerage has the real address, and there's no point trying to block
things like SSN, driver's license number, home phone, etc. from the
bank because they already have all that. Buy.com can have one credit
card number (and I want to pick which one each time), but not all of
them. I'm sure you understand what I mean here. Implementation will be
difficult, I know.

A solution is for the web site requesting info from the user to let me
specify a URL, maybe with a new scheme ("pid://myserver/auth/mylogin")
and have myserver queue the request, maybe sending me email to notify or
confirm the request. The immediate transaction would be delayed, but on
the first time. The email will include a URL for me to specify which
info the requestor has requested, and which data I will allow the
requestor to see (maybe the request has three categories: required,
desired, other). The next time I go to the requestor site, they get my
id from a session cookie or from the PID URL again, but this time
myserver gives them the data.

I think sites that choose to sign up with Passport for user auth will
have to change their sites to fill fields from Passports XML(?)
response, so this little tweak (which could be provided to webmasters in
every language under the sun in a few weeks by this community) doesn't
seem like a lot to ask for access to dotGNU auth.

I've seen some of this covered here (I'm a litle behind on my list
traffic, apologies if I missed something), but I haven't seen one idea
that covers all three of my requirements for remote auth.

I hope this is useful. I want to see this project acheive the goal of
being better than Passport. I personally don't think browser plugins and
unrestricted information are the best way to reach that goal.

--Kurt
-- 
----------------------------------------------------------------------
    Merlot Research Group, Inc               http://www.merlot.com
    Software Quality and Testability Consulting     address@hidden