Proposal to create the TX working group

David Recordon drecordon at sixapart.com
Tue Nov 11 21:39:00 UTC 2008


Just wanted to add that Nat is running a session on TX at IIW this  
afternoon.  We should definitly chat about the needs being expressed  
in this thread and how they might be able to be solved with OpenID.

--David

On Nov 11, 2008, at 1:13 PM, Martin Paljak wrote:

> On 09.11.2008, at 20:51, Nat Sakimura wrote:
>> As to AX+SAML (or for that matter XAdES) is concerned, that is a  
>> valid approach, but if I were to use SAML, I would use
>
> Just to clarify a technical detail: The XAdES example regarding  
> Estonia you mentioned earlier does not include transporting XAdES  
> payloads over OpenID AX (which seems to be the purpose of the  
> discussed workgroup where the similarities of SAML over AX come in).  
> The special behavior and out of band assurances given by openid.ee  
> does not include anything new on the protocol level, just added  
> semantics to basic OpenID transactions. If we could use PDF  
> signatures as legally valid signatures in Estonia, it could be PDF  
> based signatures instead of XAdES, or ODF signatures, or MS .doc  
> signatures.
>
> FYI, openid.ee allows a RP to upload a contract (template) which  
> must be agreed with and digitally signed (legally binding signature  
> resulting in an XAdES document with the filled in contract signed by  
> the user with an ID-card and stored on the OP) before the OP starts  
> issuing positive assertions about the given user to the given RP.  
> The contract could be a document of any kind (PDF, JPG, DOC, TXT)  
> and the only thing that is transferred to the RP over AX is a  
> 'secret url' from where the RP can download the signed contract  
> (XAdES container with the possibly PDF contract in it).
>
> The actual assurance (that the user has signed the contract the RP  
> has uploaded) comes from out of band agreements/contracts between OP  
> and RP. The AX attribute is just an extra option, if the RP wishes  
> to automatically fetch and store the signed contract somewhere.
>
> Basically it is an advanced and legally binding 'I agree with terms  
> and conditions' checkbox built on top of standard OpenID.
> With legally binding I mean that it is dead simple in the court:  
> "Here are the terms and conditions you digitally signed and which  
> you have violated" as checking checkboxes and pressing 'continue' is  
> not a legally binding action in Estonia, at least I don't know of  
> any court cases about it.
>
> If you need an example use case, think of signing and faxing NDA-s  
> before you can download some simple "secret" product documentation.
>
>
> -- 
> Martin Paljak
> http://martin.paljak.pri.ee
> +372.515.6495
>





More information about the specs mailing list