[OpenID] OpenID For Web Services

Paul Madsen paulmadsen at rogers.com
Wed Feb 28 17:19:37 UTC 2007 

Hi George, how would the main site know for which remote sites it 
required a cert/assertion?

Wouldn't the main site be more typically interested in obtaining a token 
capturing the delegated rights for 'types' of remote service, and not 
particular instances?

Paul

George Fletcher wrote:
> [Ok, if I've configured tbird correctly, this should come through to you 
> and the general list as plain text.]
>
> If we go back to the original use case of a person accessing the "main 
> site" and then the "main site" invoking remote web services on the 
> user's behalf... it seems like this should still be doable with your 
> certificates.
>
> 1. The user enters their OpenID URL at the "main site"
> 2. The "main site" determines the OP and re-directs requesting 
> authentication and certificates for each of the remote sites it wants to 
> invoke (specification of certificates could use the "Attribute Exchange" 
> extension).
> 3. User authenticates to OP (prooveme.com) and grants consent for the 
> requested certificates to be generated and returned to the "main site".  
> Note that this allows the certificates to be short-lived solving some of 
> the certificate management issues.
> 4. The "main site" uses the certificates to access the desired remote sites
>
> It seems like this model would also work using SAML Assertions as well 
> as certificates.  There might be a nice convergence path here.
>
> Thanks,
> George
>
> Nic James Ferrier wrote:
>   
>> Hi George... I had to strip your HTML so I hope I got the gist of your
>> message. We don't all use HTML MUAs you know.
>>
>>
>> George Fletcher <gffletch at aol.com> writes:
>>
>>     
>>> Very interesting. Are these long term certificates? 
>>>       
>> Could be. Again, that's up to the user. I'd suggest that if a user
>> wanted a long term relationship like:
>>
>>   photo site -> blog
>>
>>
>> then they'd be granting that cert for a long time. They'll also be able
>> to turn the cert off at any time.
>>
>>
>>     
>>> Will prooveme.com manage the generation of new certificates and
>>> delivery to flickr when the old one is about to expire? or will that
>>> be the user's responsibility?
>>>       
>> Yes.
>>
>>
>> I'd hope that if certificates take off in anyway we can come up with
>> more protocols, this time for distributing certificates automatically.
>>
>>   
>>     
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
>   

-- 
Paul Madsen             e:paulmadsen @ ntt-at.com
NTT                     p:613-482-0432
                        m:613-302-1428
                        aim:PaulMdsn5
                        web:connectid.blogspot.com

More information about the general mailing list