[OpenID] OpenID For Web Services
Nic James Ferrier
nferrier at tapsellferrier.co.uk
Wed Feb 28 16:59:40 UTC 2007
George Fletcher <gffletch at aol.com> writes:
> [Ok, if I've configured tbird correctly, this should come through to you
> and the general list as plain text.]
>
> If we go back to the original use case of a person accessing the "main
> site" and then the "main site" invoking remote web services on the
> user's behalf... it seems like this should still be doable with your
> certificates.
>
> 1. The user enters their OpenID URL at the "main site"
> 2. The "main site" determines the OP and re-directs requesting
> authentication and certificates for each of the remote sites it wants to
> invoke (specification of certificates could use the "Attribute Exchange"
> extension).
> 3. User authenticates to OP (prooveme.com) and grants consent for the
> requested certificates to be generated and returned to the "main site".
> Note that this allows the certificates to be short-lived solving some of
> the certificate management issues.
> 4. The "main site" uses the certificates to access the desired
> remote sites
Yes. That's what our plan is.
Certificates are powerful authentication tokens. Up to now we've not
had the distributed token system on top.
> It seems like this model would also work using SAML Assertions as well
> as certificates. There might be a nice convergence path here.
Not thought about that. Cool idea.
--
Nic Ferrier
----------------------------------------------------------
Need a linux/java/python/web hacker? I'm in need of work!
----------------------------------------------------------
http://www.tapsellferrier.co.uk
More information about the general
mailing list