[OpenID] Trust + Security @ OpenID

Johnny Bufu johnny at sxip.com
Mon Jul 9 20:39:21 UTC 2007


On 8-Jul-07, at 7:13 PM, Eric Norman wrote:

> 3.  Can I, as an RP, have independent testimony about the accuracy of
> these statements
> (claims)?   That's what an IdP provides.  An IdP consults the records
> it maintains about
> someone and provides testimony in the form of statements that reflect
> what's in those
> records.
>
> I think that's one of the main reasons that some in the OpenID
> community prefer to use
> the term OP instead of IdP.  There is really no mechanism by which an
> OP can provide
> independent testimony.

The OP may not be able to be the source of such statements, but the  
OpenID framework (core protocol and extension) allow this.

OpenID Authentication performs the exchange of the authentication  
attribute.

With Attribute Exchange [1], RPs can request (and enforce if they  
choose to) whatever proof attributes they need, originating from  
third parties they choose to trust. In order for the trust  
verification to be possible, Signed Assertions [2] can be used. It is  
then up the the users / OPs to acquire the proofs needed to satisfy  
RPs' requirements.

This can be done today with OpenID, still in a decentralized way but  
this time trust is RP-centric.

Johnny

[1] http://openid.net/specs/openid-attribute-exchange-1_0-05.html
[2] http://www.mail-archive.com/specs@openid.net/msg00907.html




More information about the general mailing list