backchannel/endpoint URLs, desired attributes

Paul Trevithick ptrevithick at gmail.com
Sat Dec 19 00:59:19 UTC 2009


Well, on somewhat related note, some folks at the Berkman center a while back used some Higgins code to create an OpenID OP that used AX to convey SAML 1.1 token signed by an external identity authority (not the OP). [The SAML token was the value of an AX attribute (though not one that was explicitly requested!)]. Sort of a hack, but there was a need to do what Dick is saying and this was one way to make it work before we have something more elegant. At least it demonstrated the need to move verified 3rd party attributes through the OP to the RP. --Paul

On Dec 18, 2009, at 7:45 PM, Joseph Anthony Pasquale Holsten wrote:

> +1 That's why I'm putting my newfound free time into understanding AX2  
> and CX today. Are any other groups working on this?
> --j
> 
> On Dec 18, 2009, at 3:54 PM, Dick Hardt wrote:
> 
>> One of the my objectives with OpenID was that that OP was *only*  
>> authoritative about the user's OpenID -- not anything else.
>> 
>> Other attributes would ideally be asserted by parties that are  
>> already trusted to make those assertions. The OP would be the  
>> clearing house for those verified attributes, but would not be the  
>> authority. For example, I may get a claim from the government  
>> binding my OpenID to my name and date of birth. I could then present  
>> that claim along with my OpenID to an RP. If they trust the  
>> government (or whichever entity generated the claim), then they have  
>> "confidence" in my name and date of birth.
>> 
>> The binding of the attributes to an OpenID would be a verification  
>> process done in a manner that RPs have trust.
>> 
>> Trust is a social issue, not a technical issue. I believe that  
>> certifying OPs and developing yet-another-identity verification  
>> process is much more effort than getting existing trusted  
>> authorities to make claims. Existing authorities are already in the  
>> business of being authorities, and already are trusted. I have  
>> talked to numerous existing authorities that are interested in  
>> making claims about users.
>> 
>> Unfortunately, OpenID has not yet standardized how to represent,  
>> request or verify digital claims. Hopefully that is something we  
>> work on sooner then later.
>> 
>> -Dick
>> 
>> 
>>> -----Original Message-----
>>> From: Chris Obdam [mailto:chris.obdam at gmail.com] On Behalf Of Chris
>>> Obdam
>>> Sent: Friday, December 18, 2009 1:37 PM
>>> To: Dick Hardt
>>> Cc: Joseph Anthony Pasquale Holsten; openid-specs at lists.openid.net
>>> Subject: Re: backchannel/endpoint URLs, desired attributes
>>> 
>>> We are still working on that. We are now enquiring the involved OP's
>>> about their current verifying methods. We hope to create a public
>>> inventory of methods out of that. We don't think that there will be a
>>> 'right way'
>>> 
>>> Cheers,
>>> 
>>> Chris Obdam
>>> Stichting OpenID NL (Dutch OpenID foundation)
>>> 
>>> Op 18 dec 2009, om 22:27 heeft Dick Hardt het volgende geschreven:
>>> 
>>>> I'd be interested to hear what "the right way" is for verifying
>>> attributes.
>>>> 
>>>> -Dick
>>>> 
>>>>> -----Original Message-----
>>>>> From: openid-specs-bounces at lists.openid.net [mailto:openid-specs-
>>>>> bounces at lists.openid.net] On Behalf Of Chris Obdam
>>>>> Sent: Friday, December 18, 2009 1:13 PM
>>>>> To: Joseph Anthony Pasquale Holsten
>>>>> Cc: openid-specs at lists.openid.net
>>>>> Subject: Re: backchannel/endpoint URLs, desired attributes
>>>>> 
>>>>> Joseph,
>>>>> 
>>>>> Over here in Holland (strange country..;-)) we are creating a group
>>> of
>>>>> certified OP's from who we check if the attributes are verified in
>>> the
>>>>> right way.
>>>>> I know it's not that OPEN. But we don't see any other solution yet.
>>>>> 
>>>>> Cheers,
>>>>> 
>>>>> Chris Obdam
>>>>> Stichting OpenID NL (Dutch OpenID foundation)
>>>>> 
>>>>> Op 18 dec 2009, om 13:08 heeft Joseph Anthony Pasquale Holsten het
>>>>> volgende geschreven:
>>>>> 
>>>>>> Peter Watkins supposedly wrote:
>>>>>> 
>>>>>>> I'm responsible for a City government web site, so not large but
>>>>>>> perhaps representative of a large set of potential RPs:
>>>>>> ...
>>>>>>> We'd love to get metadata about the attributes, too -- date on
>>> which
>>>>>>> the email address was verified, whether the OP vouches that the
>>>>> avatar
>>>>>>> is actually a picture of the individual, etc.
>>>>>> 
>>>>>> If I may pry, what do you plan to do with verified attributes? For
>>>>> example, I intend for my self hosted OP to tell everyone that I  
>>>>> last
>>>>> verified my email before I was born. I'm as interested in the user
>>>>> interface implications as the security ones.
>>>>>> 
>>>>>> --
>>>>>> Joseph Holsten
>>>>>> http://josephholsten.com
>>>>>> mailto:joseph at josephholsten.com
>>>>>> tel:+1-918-948-6747
>>>>>> 
>>>>>> _______________________________________________
>>>>>> specs mailing list
>>>>>> specs at lists.openid.net
>>>>>> http://lists.openid.net/mailman/listinfo/openid-specs
>>>>> 
>>>>> _______________________________________________
>>>>> specs mailing list
>>>>> specs at lists.openid.net
>>>>> http://lists.openid.net/mailman/listinfo/openid-specs
>>>> 
>>> 
>> 
> 
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs



More information about the specs mailing list