[Openid-specs-ab] Signed/encrypted aggregated and/or distributed claims and asymmetric keys

John Bradley ve7jtb at ve7jtb.com
Tue Feb 14 14:37:39 UTC 2012

At the moment it is undefined.  

If a claim is signed, there needs to be spoke sort of trust framework and meta-data associated with that.
I imagine that one possible solution is for a attribute trust-famework provider publishing the issuer ID and associated entity assertions including key material.

For distributed claims they may not be signed, nothing requires that.  

The trust may also be configured out of band in some other way.   A RP may know that attributes claims coming from https://equifax.com/credit-score are trustworthy in some way.

Some people are proposing using all or part of UMA to provide the introduction and permissioning of the distributed endpoints,  though that spec also doesn't have a real trust model for the RP.
It assumes that the RP is starting at the resource because it or the user trusts it already.

So we are back to probably talking about your earlier work on Connect Meta-Data this is probably where most people will see the value add it provides.

John B.

On 2012-02-14, at 6:05 AM, Roland Hedberg wrote:

> Hi!
> I'm looking at implementing support for aggregated and/or distributed claims and I have a problem with the key distribution.
> When a RP is communicating with an OP the RP can get all information it needs about the keys the OP uses using discovery.
> Doing aggregated claims there is not necessarily any communication between the client and the claims provider.
> The claims provider might not even be accessible on the Internet.
> Hence no means by which the client can find out which keys the claims provider uses.
> The same goes for distributed claims even though since the client actually talks to the claims provider to get at the claims it is conceivable that the client could do dynamic discovery like with any other OP it will talk to.
> I can't find anything about this in the documents. 
> Am I missing something or is it just undefined !
> -- Roland
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120214/e01c2cde/attachment-0001.p7s>

More information about the Openid-specs-ab mailing list