[OpenID] OpenID For Web Services

Nic James Ferrier nferrier at tapsellferrier.co.uk
Wed Feb 28 16:59:40 UTC 2007

George Fletcher <gffletch at aol.com> writes:

> [Ok, if I've configured tbird correctly, this should come through to you 
> and the general list as plain text.]
> If we go back to the original use case of a person accessing the "main 
> site" and then the "main site" invoking remote web services on the 
> user's behalf... it seems like this should still be doable with your 
> certificates.
> 1. The user enters their OpenID URL at the "main site"
> 2. The "main site" determines the OP and re-directs requesting 
> authentication and certificates for each of the remote sites it wants to 
> invoke (specification of certificates could use the "Attribute Exchange" 
> extension).
> 3. User authenticates to OP (prooveme.com) and grants consent for the 
> requested certificates to be generated and returned to the "main site".  
> Note that this allows the certificates to be short-lived solving some of 
> the certificate management issues.
> 4. The "main site" uses the certificates to access the desired
> remote sites

Yes. That's what our plan is.

Certificates are powerful authentication tokens. Up to now we've not
had the distributed token system on top.

> It seems like this model would also work using SAML Assertions as well 
> as certificates.  There might be a nice convergence path here.

Not thought about that. Cool idea.

Nic Ferrier
Need a linux/java/python/web hacker?  I'm in need of work!

More information about the general mailing list