[OpenID] 2-Headed OpenID Auth for Increased Security?
George Fletcher
gffletch at aol.com
Mon Dec 1 17:42:58 UTC 2008
Ben Laurie wrote:
>
>
> On Mon, Dec 1, 2008 at 4:11 PM, Nat Sakimura <sakimura at gmail.com
> <mailto:sakimura at gmail.com>> wrote:
>
> FYI, see
>
> http://wiki.oasis-open.org/xri/XrdOne/SimpleSign
>
>
> I have no idea why that proposes to use OAuth encoding for the
> signature. Why not simply sign the document as is?
+1 (this is the approach taken by the SAML SimpleSign binding[1])
[1] http://wiki.oasis-open.org/security/SimpleSignBinding
>
> It also doesn't talk at all about how one gets to trust the signing
> cert or who should sign what.
>
>
> =nat
>
> On Mon, Dec 1, 2008 at 10:41 PM, Ben Laurie <benl at google.com
> <mailto:benl at google.com>> wrote:
>
>
>
> On Mon, Dec 1, 2008 at 1:23 PM, Peter Williams
> <pwilliams at rapattoni.com <mailto:pwilliams at rapattoni.com>> wrote:
>
> Xrd or xrds?
>
>
> XRD.
>
>
> Interesting! if you go xrd. Then you can do dnssec-like
> namespace controls, much like the trusted resolution mode
> of xri.
>
>
> Not yet all that familar with fully blown XRD, so I'll have to
> take your word for this - but I am familiar with DNSSEC, so
> I'm wondering what you mean by a "namespace control"?
>
>
> Rather than be dnssec static, however, signatures on xrd
> could also serve as security tokens, citable on the peer
> (web) services ("managed" by the xri/uri). Butler lampson
> will be in heaven.
>
> ________________________________
> From: Ben Laurie <benl at google.com <mailto:benl at google.com>>
> Sent: Monday, December 01, 2008 5:13 AM
> To: Peter Williams <pwilliams at rapattoni.com
> <mailto:pwilliams at rapattoni.com>>
> Cc: Eric Norman <ejnorman at doit.wisc.edu
> <mailto:ejnorman at doit.wisc.edu>>; OpenID List
> <general at openid.net <mailto:general at openid.net>>
> Subject: Re: [OpenID] 2-Headed OpenID Auth for Increased
> Security?
>
>
>
> On Sun, Nov 30, 2008 at 5:56 PM, Peter Williams
> <pwilliams at rapattoni.com
> <mailto:pwilliams at rapattoni.com><mailto:pwilliams at rapattoni.com
> <mailto:pwilliams at rapattoni.com>>> wrote:
> Time to take the extension power of XRDS, and apply
> xmldsig "detached signature(s)"
>
> Signing XRD is pretty much what we're proposing for the
> next generation...
>
>
>
> This would be using similar mechanism as used in
> Authenticode, where designers applied 3rd-party
> countersigning and 4th-party timestamping to solve
> validity problems - at internet scale. Different parties
> (OP, discovery agents, validation) can then cooperate, in
> the inherently suspicious world of open systems.
>
> The Shib/Apache-xmltooling toolset has all the mechanisms
> required to make power-use of the flexibility of the
> xmldsig standard (as do many other tools). Being very,
> very flexible in its references, it's easy to screw up
> application of xmldsig, producing unwanted sideeffects tho.
>
> -----Original Message-----
> From: general-bounces at openid.net
> <mailto:general-bounces at openid.net><mailto:general-bounces at openid.net
> <mailto:general-bounces at openid.net>>
> [mailto:general-bounces at openid.net
> <mailto:general-bounces at openid.net><mailto:general-bounces at openid.net
> <mailto:general-bounces at openid.net>>] On Behalf Of Eric Norman
> Sent: Sunday, November 30, 2008 9:50 AM
> To: OpenID List
> Subject: Re: [OpenID] 2-Headed OpenID Auth for Increased
> Security?
>
>
> On Nov 30, 2008, at 9:35 AM, Andrew Arnott wrote:
>
> > I like the idea.... but the XRDS would have to
> mandatorily not be
> > hosted by either OP (which right now is commonly done),
> since that OP
> > would still ultimately have total assertion power by
> temporarily
> > manipulating the XRDS file to point to two OP endpoints
> that were both
> > controlled by the evil party.
>
> Be careful. "Hosted by" does not necessarily imply "content
> controlled by".
>
> Eric Norman
>
> _______________________________________________
> general mailing list
> general at openid.net
> <mailto:general at openid.net><mailto:general at openid.net
> <mailto:general at openid.net>>
> http://openid.net/mailman/listinfo/general
> _______________________________________________
> general mailing list
> general at openid.net
> <mailto:general at openid.net><mailto:general at openid.net
> <mailto:general at openid.net>>
> http://openid.net/mailman/listinfo/general
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net <mailto:general at openid.net>
> http://openid.net/mailman/listinfo/general
>
>
>
>
> --
> Nat Sakimura (=nat)
> http://www.sakimura.org/en/
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
--
Chief Architect AIM: gffletch
Identity Services Work: george.fletcher at corp.aol.com
AOL LLC Home: gffletch at aol.com
Mobile: +1-703-462-3494
Office: +1-703-265-2544 Blog: http://practicalid.blogspot.com
More information about the general
mailing list