Anyone seen xauth.org?

Paul Madsen paulmadsen at rogers.com
Mon Apr 19 19:52:48 UTC 2010 

And to clarify Chris's reference to Liberty Alliance, Liberty's 
Discovery Service is more comparable to XRD - a service at which the RP 
can query the user's various services and locations, (and in Liberty, 
obtain security tokens for those discovered endpoints a la WRAP & WS-Trust)

The Liberty DS did not track current authn sessions like XAuth. And 
neither does/did SAML's Common Domain Cookie - it was meant to be a 
history of past authn sessions (so slightly less timely info)

paul

On 4/19/2010 3:14 PM, Nate Klingenstein wrote:
> Chris,
>
> Here's the final specification for one of the models you're referring 
> to, the Discovery Service.  It existed for many years prior to that as 
> the "WAYF" -- "where are you from?" service, and it's the one with 
> wide purchase in academia.
>
> http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery.html 
>
>
> The XAuth proposal seems also, on quick, distract glance, to have 
> flavors of the "common domain cookie" in the original SAML specs, but 
> that failed in deployment.
>
> But most of the technical distinctions appear to me to built around 
> the concept of integration with the user's session at the identity 
> provider.  That would be radically different from what we've done thus 
> far, which caches and maintains nothing more than the user's choice of 
> identity provider; not even whether they're a legitimate user there.
>
> It appears to place an enormous amount of power and centralization 
> into the hands of the XAuth service.  We've always wanted the DS to be 
> an independent, optional piece of infrastructure, not the central cog 
> around which everything else rotates.
>
> Interested to learn more, to see whether my initial reading here is off.
> Nate.
>
> On Apr 19, 2010, at 6:24 PM, Chris Messina wrote:
>
>> In fact, this model is widely used in academia and in Europe to 
>> simplify federated authentication.
>
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
>
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 9.0.801 / Virus Database: 271.1.1/2820 - Release Date: 04/19/10 02:31:00
>
>    

-- 
Paul Madsen                       connectid.blogspot.com
NTT DATA AgileNet                 @paulmadsen
paulmadsen at nttdata.com
6138588647


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100419/70eb3790/attachment.htm>

More information about the specs mailing list