[OpenID] OpenID For Web Services
Paul Madsen
paulmadsen at rogers.com
Wed Feb 28 17:19:37 UTC 2007
Hi George, how would the main site know for which remote sites it
required a cert/assertion?
Wouldn't the main site be more typically interested in obtaining a token
capturing the delegated rights for 'types' of remote service, and not
particular instances?
Paul
George Fletcher wrote:
> [Ok, if I've configured tbird correctly, this should come through to you
> and the general list as plain text.]
>
> If we go back to the original use case of a person accessing the "main
> site" and then the "main site" invoking remote web services on the
> user's behalf... it seems like this should still be doable with your
> certificates.
>
> 1. The user enters their OpenID URL at the "main site"
> 2. The "main site" determines the OP and re-directs requesting
> authentication and certificates for each of the remote sites it wants to
> invoke (specification of certificates could use the "Attribute Exchange"
> extension).
> 3. User authenticates to OP (prooveme.com) and grants consent for the
> requested certificates to be generated and returned to the "main site".
> Note that this allows the certificates to be short-lived solving some of
> the certificate management issues.
> 4. The "main site" uses the certificates to access the desired remote sites
>
> It seems like this model would also work using SAML Assertions as well
> as certificates. There might be a nice convergence path here.
>
> Thanks,
> George
>
> Nic James Ferrier wrote:
>
>> Hi George... I had to strip your HTML so I hope I got the gist of your
>> message. We don't all use HTML MUAs you know.
>>
>>
>> George Fletcher <gffletch at aol.com> writes:
>>
>>
>>> Very interesting. Are these long term certificates?
>>>
>> Could be. Again, that's up to the user. I'd suggest that if a user
>> wanted a long term relationship like:
>>
>> photo site -> blog
>>
>>
>> then they'd be granting that cert for a long time. They'll also be able
>> to turn the cert off at any time.
>>
>>
>>
>>> Will prooveme.com manage the generation of new certificates and
>>> delivery to flickr when the old one is about to expire? or will that
>>> be the user's responsibility?
>>>
>> Yes.
>>
>>
>> I'd hope that if certificates take off in anyway we can come up with
>> more protocols, this time for distributing certificates automatically.
>>
>>
>>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
>
--
Paul Madsen e:paulmadsen @ ntt-at.com
NTT p:613-482-0432
m:613-302-1428
aim:PaulMdsn5
web:connectid.blogspot.com
More information about the general
mailing list