[OpenID] FW: Technical Comparison: OpenID and SAML - Draft 06

Gabe Wachob gwachob at wachob.com
Thu Jan 24 19:18:48 UTC 2008 

Peter-
   OASIS specs (drafts too, usually) are published publicly and for free.
You can find the XRI TC docs at:
http://www.oasis-open.org/committees/documents.php?wg_abbrev=xri

   If you have any issues accessing documents, you can email me personally.

    -Gabe


On Jan 24, 2008 11:12 AM, Peter Williams <pwilliams at rapattoni.com> wrote:

> 2 questions:
>
> Q1. how does XRI/XRD conflict with ENUM/NAPTR and IETF-style provisioning
> of name and service records in DNS
>
>
> A1: You have not read IETF stuff, and I have not read XRI stuff (because
> it costs money to read even a draft OASIS standard). We are kind of stuck in
> a deadlock. Thus, I go with the IETF stuff, expressed particular in ENUM.
>
> - The basic YADIS approach (read an XRS stream from an http endpoint)
> seems like a temporary hack, in the big scheme of things. Going XRI native
> or XRI proxies is a blind alley for me, personally, right now (as im
> ignorant of what it all means, ultimately)
>
> - walled garden ENUM (where the walled-garden variant was a hard won
> battle in IETF, note) shows how reliance in openid could be walled off,
> without forcing the walling procedures to use protocol level security
> controls (encryption etc) or qualified namespaces.
>
>
>
> Q2. how can openid2 and SAML2 cooperate (within the SAML2 proxying model
> and nameid-qualification/autocreate model)
>
> A2: OpenID2 (likes SAML2) assumes matters of qualified naming and account
> subscription/provisioning are handled as local matters - using some or other
> backend (probably legacy) system. We happen to have fronted our proprietary
> stuff (that covers about 85% of realty's 2.5 million current or recently
> expired accounts) with SAML endpoint - saying to the world: ok! stop whining
> about relaty proprietary legacy systems: here is an open interface. Get on
> with it. You have naming protocols, encryption protocols, assertion
> protocols, now even attribute query protocols. When I finally get my head
> around SAML+XACML, we will add authorization protocols via PEPs/PDPs/PAPs.
>
> We are perfectly happy for openid2 protocol engine to be either a
> downstream or upstream SAML/legacy proxy (in the formal SAML IDP proxying
> model). You want to talk to realty via openid protocols..? Wonderful. Here
> is how (not that you really need to know) it maps onto realty's open SAML
> interfaces so we can realize your desire. In certain advanced cases, the
> openid relying party will have business rules that DEMAND that it knows
> about what proxying went on, and with whom. So, we will have to "emulate"
> certain SAML signals as AX attributes, probably. Or, openid3 will do it
> properly.
>
> Peter (speaking for Rapattoni, not various other realty systems vendors or
> NAR).
>
>
>
>
>
>
> ________________________________
>
> From: Joseph Holsten on behalf of Joseph Anthony Pasquale Holsten
> Sent: Wed 1/23/2008 11:17 PM
> To: Peter Williams
> Cc: Drummond Reed; openid-general
> Subject: Re: [OpenID] FW: Technical Comparison: OpenID and SAML - Draft 06
>
>
> On 02008:01:21, at 7:57CST, Peter Williams wrote:
>
>        Intending to speak non-threateningly, I know (as a security
> designer on the dumber end of the know-how spectrum) that I want next to
> investigate SAML2 and its use of NAPTRs. Its in this area where there
> appears a conflict of infrastructure vision between openid and SAML2 - one
> that concerns me.
>
>        Openid Auth (over https) is fine as a lightweight websso protocol.
> But, the whole XRD and XRI emphasis conflicts with general IETF direction in
> DNS, NAPTRs, walled-garden ENUM etc. I know for my part, I don't yet know
> how to reconcile these two infrastructure visions on resolving names to
> services, particular the websso assurance depend on secure name resolution.
> I do know I'm personally arming a new SAML2 party each week (in US realty),
> with increasingly sophisticated use of the fancier SAML2 features (which
> bodes well for openid2, which the same feature set as SAML in the 80% of
> features that most matter).
>
>
> What are you refering to about conflicts with the IETF direction? I
> haven't monitored IETF work in years, so please excuse my ignorance. Are you
> referring to the way XRI extends existing URI infrastructure? Does non-XRI
> XRD resolution (nee yadis) overcome these conflicts in your eyes?
>
>
>
>
>        Whilst we at rapattoni have made a commitment to ensure we can join
> realty's websso infrastructure to the web2.0 world via openid2, beyond
> that limited goal I'm not sure how to characterize what we will do with
> openid. I think it all comes down to SPECIFICALLY how the UCI management
> vision takes off, or not, in such as business applications that are building
> on all the various successful social networking practices proven over the
> last few years.
>
>
> I wonder, are you implementing openid alongside SAML2? It seems that most
> of the SSO uses we've had at my work are best solved with OAuth, although if
> the site you're SSOing with acts as an OP, I guess AX would be sufficient.
>
> http:// Joseph Holsten .com
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>



-- 
Gabe Wachob / gwachob at wachob.com \ http://blog.wachob.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080124/91e220af/attachment-0002.htm>

More information about the general mailing list