[OpenID] OpenID For Web Services

George Fletcher gffletch at aol.com
Wed Feb 28 16:49:52 UTC 2007

[Ok, if I've configured tbird correctly, this should come through to you 
and the general list as plain text.]

If we go back to the original use case of a person accessing the "main 
site" and then the "main site" invoking remote web services on the 
user's behalf... it seems like this should still be doable with your 

1. The user enters their OpenID URL at the "main site"
2. The "main site" determines the OP and re-directs requesting 
authentication and certificates for each of the remote sites it wants to 
invoke (specification of certificates could use the "Attribute Exchange" 
3. User authenticates to OP (prooveme.com) and grants consent for the 
requested certificates to be generated and returned to the "main site".  
Note that this allows the certificates to be short-lived solving some of 
the certificate management issues.
4. The "main site" uses the certificates to access the desired remote sites

It seems like this model would also work using SAML Assertions as well 
as certificates.  There might be a nice convergence path here.


Nic James Ferrier wrote:
> Hi George... I had to strip your HTML so I hope I got the gist of your
> message. We don't all use HTML MUAs you know.
> George Fletcher <gffletch at aol.com> writes:
>> Very interesting. Are these long term certificates? 
> Could be. Again, that's up to the user. I'd suggest that if a user
> wanted a long term relationship like:
>   photo site -> blog
> then they'd be granting that cert for a long time. They'll also be able
> to turn the cert off at any time.
>> Will prooveme.com manage the generation of new certificates and
>> delivery to flickr when the old one is about to expire? or will that
>> be the user's responsibility?
> Yes.
> I'd hope that if certificates take off in anyway we can come up with
> more protocols, this time for distributing certificates automatically.

More information about the general mailing list