[OpenID] Trust + Security @ OpenID
Johnny Bufu
johnny at sxip.com
Mon Jul 9 20:39:21 UTC 2007
On 8-Jul-07, at 7:13 PM, Eric Norman wrote:
> 3. Can I, as an RP, have independent testimony about the accuracy of
> these statements
> (claims)? That's what an IdP provides. An IdP consults the records
> it maintains about
> someone and provides testimony in the form of statements that reflect
> what's in those
> records.
>
> I think that's one of the main reasons that some in the OpenID
> community prefer to use
> the term OP instead of IdP. There is really no mechanism by which an
> OP can provide
> independent testimony.
The OP may not be able to be the source of such statements, but the
OpenID framework (core protocol and extension) allow this.
OpenID Authentication performs the exchange of the authentication
attribute.
With Attribute Exchange [1], RPs can request (and enforce if they
choose to) whatever proof attributes they need, originating from
third parties they choose to trust. In order for the trust
verification to be possible, Signed Assertions [2] can be used. It is
then up the the users / OPs to acquire the proofs needed to satisfy
RPs' requirements.
This can be done today with OpenID, still in a decentralized way but
this time trust is RP-centric.
Johnny
[1] http://openid.net/specs/openid-attribute-exchange-1_0-05.html
[2] http://www.mail-archive.com/specs@openid.net/msg00907.html
More information about the general
mailing list