Artifact Binding Re: specs Digest, Vol 36, Issue 1

John Bradley john.bradley at wingaa.com
Wed Aug 19 13:30:44 UTC 2009


Nat,

On a first read through.

Your proposal only solves half the problem,  in that it only reduces  
the size of the indirect response.   With extensions it is still  
possible to likely that requests will go over 2K.

I would prefer not to have to revisit this again once the request size  
becomes an issue.

The OP needs to advertise that it supports the binding in it's XRD/S.

As you point out this doesn't do anything for security.    The  
artifact will need to be encrypted or mutual TLS used for the direct  
connection.

In testing something close to 1% of RP and OP have TLS implemented  
correctly now.   Mutual TLS may impossible to implement in some  
environments.

It is easy to say just use TLS for that, and make it someone else's  
problem.   Mutual TLS may be the best option but encrypting the  
fragment and using normal TLS should also be considered.

Having the OP POST to the RP directly should also be considered,  that  
would work for LoA 2 but probably not LoA 3 without mutual TLS.

There are a number of tradeoffs with different methods.

A good attempt to show how this method would work.

John B.

On 19-Aug-09, at 5:51 AM, Nat Sakimura wrote:

> Been sick and not following the various discussion around artifact  
> since last Saturday, so I might be out of sync but here is my shot  
> for Artifact Binding which I hoped to provide on Friday 14th.
>
> http://wiki.openid.net/OpenIDwithArtifactBinding
>
> It is about 40 lines of modification/addition. The portion that I  
> changed/added are in RED so it should be easy for you to find out.
>
> Its sequence is a bit different than SAML Artifact binding as I  
> tried to minimize the impact to the current deployments.
>
> It has done nothing about encryption. The direct communication  
> should be over the verified TLS channel. Security implication of the  
> Artifact exposure on the indirect communication should be further  
> discussed, but my preliminary assessment is that it should be ok.
>
> =nat
>
> On Wed, Aug 19, 2009 at 8:42 AM, Dick Hardt  
> <Dick.Hardt at microsoft.com> wrote:
> my $0.02
>
> I expect the data moving between the RP and OP to become even larger  
> over time, therefore a standard, alternative mechanism for moving  
> the data directly between the RP and OP, particularly when bandwidth  
> to the client is constrained, seems desirable.
>
> I would generally prefer a proven, widely deployed encryption  
> mechanism such as TLS rather then adding functionality to OpenID
>
> -- Dick
> ________________________________________
> From: openid-specs-bounces at lists.openid.net [openid-specs-bounces at lists.openid.net 
> ] on behalf of John Bradley [john.bradley at wingaa.com]
> Sent: Tuesday, August 18, 2009 3:27 PM
> To: Allen Tom
> Cc: openid-specs at lists.openid.net
> Subject: Re: Artifact Binding Re: specs Digest, Vol 36, Issue 1
>
> One of the things you need for LoA 2 is to prevent eavesdropping.
>
> The choices are encrypt the response to the RP or use direct
> communication with TLS (probably mutual) if the RP is going to make a
> direct request to the OP.
>
> Using an artifact binding has advantages and disadvantages.   Using it
> to get around the 2K URI limit in IE would put any RP not supporting
> it at a disadvantage.
>
> It might be acceptable if the RP could indicate its support for
> artifact binding in the request and allow the OP to use artifact
> instead of post.
>
> With mobile devices becoming more common I can see people preferring
> an artifact binding over the existing ones.
>
> It is a real change to the protocol and will add complexity supporting
> another binding.
>
> One short term fix that Andrew Arnott implemented in DotNetOpenAuth is
> a smart detection of OP's support for AX vs SREG and preferring SREG
> if it is supported.   Most people are only using AX for the SREG
> attributes anyway.
>
> I agree that the AX attribute URI need to get sorted out anyway.   We
> could look at making them shorter when we mint new standard ones.
>
> John B.
> On 18-Aug-09, at 6:02 PM, Allen Tom wrote:
>
> > Hi All,
> >
> > Sorry for the delayed response, I'm still catching up on mail after
> > being on vacation last week.
> >
> > Breno - How would artifact binding help OpenID attain Loa2? I'm
> > unclear as to how that would make a difference.
> >
> > The Yahoo OP was recently updated to return responses that are
> > larger than 2KB using POST, and this has caused many users to see
> > the ugly browser warning because most RPs don't support HTTPS.
> > Displaying the ugly browser warning is really unacceptable, so we'll
> > probably update the Yahoo OP to only use POST only for HTTPS
> > return_to URLs.
> >
> > The excessively large responses are mostly due to AX being
> > excessively verbose. It would be really nice if we could revise AX
> > to be a lot more compact. Perhaps if we had a standardized AX
> > schema, we'd be able to shorten the message size.
> >
> > Allen
> >
> >
> >
> > Breno de Medeiros wrote:
> >>
> >> Since Google was mentioned here as wanting artifact, let me make  
> the
> >> record clear to say that I spoke about artifact binding on my
> >> personal
> >> capacity.
> >>
> >> My very own personal view is that an artifact profile would be easy
> >> to
> >> spec out (the check_authentication or stateless mode is already the
> >> artifact flow without the additional benefits of artifact) and  
> would
> >> make OpenID more robust. Currently long URLs require POST which  
> only
> >> gives you so much mileage. POST is ugly if the RP has a non-HTTPS
> >> endpoint, with scary user confirmation dialogs.
> >>
> >> Also, I did not wish to express any personal opinion on whether
> >> OpenID
> >> should seek Loa2, just to note that artifact is the easiest route
> >> there.
> >>
> >> On Thu, Aug 13, 2009 at 10:45 AM, Nat Sakimura<sakimura at gmail.com>
> >> wrote:
> >>
> >>> John,
> >>> You changed the topic of this thread.
> >>> This thread was about artifact binding, not about Government LoA.
> >>> That's another thread :-)
> >>> Yes, Artifact helps LoA, but it is not only that.
> >>> It helps the mobile space immensely.
> >>> =nat
> >>>
> >>> On Fri, Aug 14, 2009 at 2:00 AM, John Bradley <jbradley at mac.com>
> >>> wrote:
> >>>
> >>>> Chris
> >>>> I think we are agreeing.  OpenID needs to play to it's strengths.
> >>>> Chasing shiny things is tempting.
> >>>> We need to carefully consider the impact of changes.
> >>>> That is not to say that openID shouldn't evolve.
> >>>> There are always tradeoffs.
> >>>> Remember that a GSA LoA 2 or 3 profile is focused on the Gov
> >>>> accepting the
> >>>> assertions for specific uses.
> >>>> Other people are free to make there own determinations for other
> >>>> use
> >>>> cases.
> >>>> I am interested in finding out if IdP really want to be certified
> >>>> at LoA 2
> >>>> with all of the extra identity
> >>>> proofing,  liability and other things that go with that.
> >>>> A LoA 2 certification for a IdP involves a lot more than just
> >>>> tweaking
> >>>> some protocol peaces.
> >>>> Are there OPs  that want that?
> >>>> John B.
> >>>> On 13-Aug-09, at 9:11 AM, Chris Messina wrote:
> >>>>
> >>>> On Thu, Aug 13, 2009 at 8:34 AM, John Bradley <jbradley at mac.com>
> >>>> wrote:
> >>>>
> >>>>> Some may ask if we add artifact binding, signatures and
> >>>>> encryption are we
> >>>>> not reinventing SAML Web SSO, or something of equal complexity?
> >>>>>
> >>>> I would like to know more about this, but my instinct is always
> >>>> to say
> >>>> "NO" for as long as possible when any new feature will a)  
> introduce
> >>>> complexity and b) stifle or impair potential adoption.
> >>>> That we've come as far as we have is a feat; maintaining that
> >>>> momentum is
> >>>> critical — and that means making good on the promise of what
> >>>> OpenID offers
> >>>> *today* — and only extending it with real world examples where
> >>>> people are
> >>>> implementing kludges (en masse) to serve a common need.
> >>>>
> >>>> Chris
> >>>> --
> >>>> Chris Messina
> >>>> Open Web Advocate
> >>>>
> >>>> Personal: http://factoryjoe.com
> >>>> Follow me on Twitter: http://twitter.com/chrismessina
> >>>>
> >>>> Citizen Agency: http://citizenagency.com
> >>>> Diso Project: http://diso-project.org
> >>>>
> >>>> OpenID Foundation: http://openid.net
> >>>>
> >>>>
> >>>> This email is:   [ ] bloggable    [X] ask first   [ ] private
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> specs mailing list
> >>>> specs at lists.openid.net
> >>>> http://lists.openid.net/mailman/listinfo/openid-specs
> >>>>
> >>>
> >>> --
> >>> Nat Sakimura (=nat)
> >>> http://www.sakimura.org/en/
> >>>
> >>> _______________________________________________
> >>> specs mailing list
> >>> specs at lists.openid.net
> >>> http://lists.openid.net/mailman/listinfo/openid-specs
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >>
> >
> > _______________________________________________
> > specs mailing list
> > specs at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-specs
>
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
>
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
>
>
>
> -- 
> Nat Sakimura (=nat)
> http://www.sakimura.org/en/



More information about the specs mailing list