2.0 Spec Questions
dick at sxip.com
Mon Jan 22 17:18:28 UTC 2007
On 21-Jan-07, at 4:48 PM, James McGovern wrote:
> Several questions after reading the 2.0 spec - draft 11.
> 1. The definition of realm if I am reading it correctly could be
> in large enterprises. For example, if one were using a web access
> product, they would have the ability to define a realm in terms of
> a listing
> of discrete hosts that may or may not fit a URL pattern matching
> For example, I could have a demographic called consumers who could
> hosts such as http://myconsumer.example.com ,
> http://printstatements.example.com, http://paybills.example.com
> another demographic called Business Partner may have a different
> set of
> hosts they can interact with.
The motivation of the realm is to deal with web sites where there are
many host names, but really one site -- LiveJournal being the
motivating use case, as well as being where OpenID got its start.
Each blog has a separate hostname:
Since different blogs have different hostnames, but a user thinks of
them all as being lLiveJournal, so being able to have a realm of:
> 2. In terms of checking the nonce, can we recommend that a deployment
> practice should be to use the NTP protocol and point to clocks of a
> stratum? Likewise, would it be a good idea if an association could
> how much skew it would accept before rejecting?
The date-time stamp in the nonce is really to assist the RP in
knowing that it can discard a message if it is older then a x period
rather then having to hold every nonce received. I don't know how
much skew happens out in the wild these days, but perhaps we could
get an idea of what that is and then recommend how long the RP should
keep a nonce before discarding?
> 3. In terms of an extension, should an OP be able to indicate when
> may be required so the user doesn't assume that if they
> authenticate once
> they are always good?
AuthN is for the benefit of the RP. While one view might be that the
OP should be able to dictate how long the AuthN is good for, once
used, it is really the RP that is determining if it is the same user.
I think the more important consideration is the RP wanting to get the
OP to do AuthN for the user instead of using a cached AuthN. I wanted
to put it in the spec, but the decision was that it was better in an
> 4. Some portions of the spec are heavily coupled to PKI. How should
> users of IBE think of this?
Besides recommending sites use TLS, I don't see the PKI coupling you
are referring to. Would you elaborate?
More information about the specs