Service Key Discovery 1.0
Peter Davis
peter.davis at neustar.biz
Tue Jan 22 15:37:48 UTC 2008
true enough. However, there are design patterns (at least) from
which one can apply to alternate representations (which is at the
heart of, as you put it, 'key/value-pair way of doing what's desired' ).
=peterd
On Jan 22, 2008, at 10:27 AM, Hans Granqvist wrote:
> In essence, OpenID is a reaction to (perceived?) complexity, so
> it's an
> uphill battle to reference SAML, XRI, or anything that touches on any
> W3 or OASIS standard effort relating to XML and security, really.
>
> So for OpenID, there has to be a simpler, "key/value-pair," way of
> doing what's desired, it seems.
>
> Hans
>
> On 1/21/08, Drummond Reed <drummond.reed at cordance.net> wrote:
>> Masaki, Peter has a good point -- the XRDS keyinfo discovery
>> mechanism,
>> specified in section 10.2 (SAML Trusted Resolution) of XRI
>> Resolution 2.0
>> Committee Draft 02
>> (http://docs.oasis-open.org/xri/2.0/specs/cd02/xri-resolution-V2.0-
>> cd-02.pdf
>> ), deals with DNS poisoning by using signed SAML assertions
>> (including the
>> ds:keyInfo element) for each authority in the resolution chain. So
>> presuming
>> HTTPS is used for the first root authority call, you should be
>> good all the
>> way down the chain as long as signatures verify.
>>
>> (Peter's also right that libraries have not implemented it yet,
>> but that may
>> be changing soon as demand for secure key discovery rises...)
>>
>> =Drummond
>>
>>> -----Original Message-----
>>> From: specs-bounces at openid.net [mailto:specs-bounces at openid.net]
>>> On Behalf
>>> Of Peter Davis
>>> Sent: Monday, January 21, 2008 6:33 AM
>>> To: NISHITANI Masaki
>>> Cc: specs at openid.net
>>> Subject: Re: Service Key Discovery 1.0
>>>
>>> FWIW, the XRI form of openID's provides just such a mechanism,
>>> where-
>>> by the publisher of the XRD signs all (or a part of) the XRDS, tho i
>>> know of few libraries today which support trusted resolution[1].
>>>
>>> =peterd
>>>
>>> [1] http://docs.oasis-open.org/xri/2.0/specs/cd02/xri-resolution-
>>> V2.0-
>>> cd-02.pdf
>>>
>>>
>>> On Jan 21, 2008, at 5:38 AM, NISHITANI Masaki wrote:
>>>
>>>> Hi all.
>>>> What concerns me these days is about secure data exchange
>>>> over OpenID for serious services and about this theme, I
>>>> came upon an specification, "secure key discovery 1.0"
>>>>
>>>> For my understanding, this spec is about implementing
>>>> security framework on OpenID world and is still very draft.
>>>>
>>>> Now I'd like to figure out some point I found.
>>>>
>>>> - In this, the url of the public key is defined to be in the
>>>> XRD document and entities will make another request for
>>>> the url to retrieve the public key itself.
>>>> This gives bad people a chance to pass off a fake key with
>>>> poisoning the end-user's DNS. How about to put public key
>>>> itself in the XRD or someone else the entity trusts (a
>>>> key server)?
>>>> The entity only has to manage SSL certificate fingerprints
>>>> of XRD authorities or trusting key servers.
>>>>
>>>> - With "secure key discovery", we do have to use
>>>> "association" or "verification message" no longer.
>>>> I think we can optimize OpenID protocol using digital
>>>> signature with public keys. This can be done with
>>>> following procedure.
>>>>
>>>> 1. End-user enter its OpenID in RP site.
>>>> 2. RP resolve the id and select the user's OP.
>>>> 3. In the same time, RP retrieve the OP's public key.
>>>> 4. RP generate a challenge (maybe the user's http session
>>>> id)
>>>> 5. RP send the id to the OP via http redirection.
>>>> 6. OP authenticate the user and sign to the challenge with
>>>> OP's secret key.
>>>> 7. OP send the assertion including the signed challenge
>>>> back to the RP via redirection.
>>>> 8. Now RP can verify the assertion with the signature
>>>> using OP's public key.
>>>>
>>>> The good thing about this sequence is not only reducing
>>>> network traffic, but this can be a solution against
>>>> man-in-the-middle attacks, to which OpenID has principle
>>>> vulnerability.
>>>>
>>>> I think this spec can be quite useful for the next version
>>>> of OpenID protocol.
>>>> Does someone know the status of it?
>>>>
>>>>
>>>> =masaki
>>>>
>>>> _______________________________________________
>>>> specs mailing list
>>>> specs at openid.net
>>>> http://openid.net/mailman/listinfo/specs
>>>
>>> _______________________________________________
>>> specs mailing list
>>> specs at openid.net
>>> http://openid.net/mailman/listinfo/specs
>>
>> _______________________________________________
>> specs mailing list
>> specs at openid.net
>> http://openid.net/mailman/listinfo/specs
>>
More information about the specs
mailing list