[OpenID] OpenID For Web Services
paulmadsen at rogers.com
Wed Feb 28 17:19:37 UTC 2007
Hi George, how would the main site know for which remote sites it
required a cert/assertion?
Wouldn't the main site be more typically interested in obtaining a token
capturing the delegated rights for 'types' of remote service, and not
George Fletcher wrote:
> [Ok, if I've configured tbird correctly, this should come through to you
> and the general list as plain text.]
> If we go back to the original use case of a person accessing the "main
> site" and then the "main site" invoking remote web services on the
> user's behalf... it seems like this should still be doable with your
> 1. The user enters their OpenID URL at the "main site"
> 2. The "main site" determines the OP and re-directs requesting
> authentication and certificates for each of the remote sites it wants to
> invoke (specification of certificates could use the "Attribute Exchange"
> 3. User authenticates to OP (prooveme.com) and grants consent for the
> requested certificates to be generated and returned to the "main site".
> Note that this allows the certificates to be short-lived solving some of
> the certificate management issues.
> 4. The "main site" uses the certificates to access the desired remote sites
> It seems like this model would also work using SAML Assertions as well
> as certificates. There might be a nice convergence path here.
> Nic James Ferrier wrote:
>> Hi George... I had to strip your HTML so I hope I got the gist of your
>> message. We don't all use HTML MUAs you know.
>> George Fletcher <gffletch at aol.com> writes:
>>> Very interesting. Are these long term certificates?
>> Could be. Again, that's up to the user. I'd suggest that if a user
>> wanted a long term relationship like:
>> photo site -> blog
>> then they'd be granting that cert for a long time. They'll also be able
>> to turn the cert off at any time.
>>> Will prooveme.com manage the generation of new certificates and
>>> delivery to flickr when the old one is about to expire? or will that
>>> be the user's responsibility?
>> I'd hope that if certificates take off in anyway we can come up with
>> more protocols, this time for distributing certificates automatically.
> general mailing list
> general at openid.net
Paul Madsen e:paulmadsen @ ntt-at.com
More information about the general