[Openid-specs-ab] OX work on OpenID Connect multi-party Federations

John Bradley ve7jtb at ve7jtb.com
Fri Aug 31 14:44:05 UTC 2012


Publishing the certs on a https: URI basically gives you no better than HTTPS PKIX security.

I think that is fine for most applications.  For LoA 3 and perhaps LoA 2 the certificate or keys may need to be in the meta-data to be part of a more highly trusted trust chain.

John B.

On 2012-08-31, at 10:38 AM, Michael Schwartz <mike at gluu.org> wrote:

> 
> I just added :
> 
>  1) RP and OP to publish public certificates on an HTTPS URI
>  2) Federation publishes Public Key and signs federation metadata
> 
> per John's suggestion.
> 
> - Mike
> 
> 
> 
> -------------------------------------
> Michael Schwartz
> Gluu
> Founder / CEO
> office: +1 646-810-8761
> mike at gluu.org
> 
> On Fri, 31 Aug 2012, John Bradley wrote:
> 
>> I think the general idea is good.  It will be important to support entity attributes for LOA and claims confidence.
>> 
>> Andreas has also had some thoughts.
>> https://rnd.feide.no/2012/08/24/openid-connect-federations/
>> 
>> We should try and dedicate a call or session at IIW to this.
>> 
>> John
>> On 2012-08-31, at 10:12 AM, Michael Schwartz <mike at gluu.org> wrote:
>> 
>>> 
>>> OpenID Group...
>>> 
>>> We weren't going to announce this until we had working code, but we have started to sketch a design for OpenID Connect federation metadata:
>>> http://ox.gluu.org/doku.php?id=oxauth:federation
>>> 
>>> I used Shib-style federations like InCommon as the model.
>>> 
>>> This obviously needs some work... I would like to reference the entity's certificates by URI if that's feasible.
>>> 
>>> Sorry it goes into the weeds a little at the end. We're moving some of the content to new pages :)
>>> 
>>> thx,
>>> 
>>> Mike
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>> 
>> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4937 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120831/14145329/attachment.p7s>


More information about the Openid-specs-ab mailing list