{"id":708,"date":"2007-03-06T01:06:56","date_gmt":"2007-03-06T09:06:56","guid":{"rendered":"\/?p=708"},"modified":"2007-03-06T01:16:19","modified_gmt":"2007-03-06T09:16:19","slug":"the-umpire-delegates-back","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=708","title":{"rendered":"The umpire delegates back"},"content":{"rendered":"<p>Pete Rowley of RedHat has to win&nbsp;the&nbsp;Witty Title Award for &#8220;<a href=\"http:\/\/www.openrowley.com\/2007\/03\/04\/the-umpire-delegates-back\/\" class=\"broken_link\">The umpire delegates back<\/a>&#8220;:&nbsp;&nbsp;<\/p>\n<blockquote><p>Recently <a href=\"https:\/\/www.identityblog.com\/\"><\/a><a target=\"_blank\" href=\"https:\/\/www.identityblog.com\/\">Kim Cameron<\/a> has been <a href=\"\/?p=703\">defending CardSpace<\/a> against various assertions that it won\u00e2\u20ac\u2122t work offline. As I pointed out <a href=\"http:\/\/www.openrowley.com\/2006\/07\/07\/people-in-the-policy\/\" class=\"broken_link\">some while back<\/a>, that is pure nonesense. I\u00e2\u20ac\u2122ll let you read Kims blog for the details of how such a system might work with CardSpace, but I\u00e2\u20ac\u2122ll just say it has to do with delegation. And that\u00e2\u20ac\u2122s just a big word for access control, in this case user centric decentralized access control.<\/p>\n<p>There really is no big secret to how this stuff is possible &#8211; at some point in time an offline user will be online, and during that time instead of ceding their credentials to the service in the sky (or worse, it happens without choice), they spend the time granting access specific to the service that needs access. That\u00e2\u20ac\u2122ll be a statement along the lines of \u00e2\u20ac\u0153Pete\u00e2\u20ac\u2122s blog is allowed to view this flickr photoset.\u00e2\u20ac\u009d, not \u00e2\u20ac\u0153here\u00e2\u20ac\u2122s my password dude, do as you will\u00e2\u20ac\u009d, or indeed \u00e2\u20ac\u0153hey, IdP, see that service? That\u00e2\u20ac\u2122s me that is.\u00e2\u20ac\u009d I have to agree with Kim on the notion of impersonation &#8211; at no time should anybody give the required access level for impersonation of themselves, on or offline.<\/p>\n<p>There be dragons.<\/p><\/blockquote>\n<p>Pete has a&nbsp;<a href=\"http:\/\/www.openrowley.com\" class=\"broken_link\">fascinating blog<\/a> and it&#39;s really worth following his <a href=\"http:\/\/www.openrowley.com\/2006\/07\/07\/people-in-the-policy\/\" class=\"broken_link\">People In The Policy <\/a>series.&nbsp; This is good stuff.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>There really is no big secret to how this stuff is possible <\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[12,6,15,23,5,4],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/708"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=708"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/708\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=708"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=708"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=708"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}