[OpenID] ANN: OpenID Information Cards spec and workingimplementation

Johnny Bufu johnny at sxip.com
Tue Aug 28 21:57:03 UTC 2007 

On 28-Aug-07, at 12:03 PM, Gerald Beuchelt wrote:
> If I am reading this correctly, then (one of) the biggest  
> difference between a SAML payload and an OpenID token is that  
> additional user-specific communication between the RP and the OP/ 
> STS (in accordance with the OpenID specs).

Yes and no. It's additional only if with a SAML token you don't  
consider validating the token issuer.

OpenID "token issuer" validation is mandatory (part of the  
verification process).


> This seem to me as breaking Kim's laws on Directed Identity and  
> Justifiable Parties, by allowing the OP/STS to create a log of  
> visited RPs. I know that that is not necessarily a problem within  
> OpenID (especially if you run your own), but the Infocard model -  
> and especially the Windows CardSpace UI - were designed with most  
> limiting disclosure in mind. This has started to sink into the  
> collective mindset, so that every time a user participates in the  
> "Infocard ceremony" the expectation is that the IdP will not be  
> able to correlate RP visits.

I could say that disclosing the visited site to the STS/OP is  
justifiable, because that's how OpenID works.

The Infocard technology does allow this (managed cards with auditing  
mode enabled, and we're requiring it in the OpenID Information Cards  
spec). While aiming for the most privacy-protecting features, the  
Infocard specs defines and allows this use case as well.


> If the OpenID token changes this kind of behavior, this should be  
> very clearly indicated to the user before he/she can use it.

It doesn't *change* this behavior; it uses this option out of a set.

And yes - when issuing an OpenID Information Card the OP/STS should  
make it clear that it's an "auditing" one (just in case that the  
"auditing" aspect of OpenID is not clear to the Infocard user).

Not sure if there are any Infocard UX recommendations here.

> The other problem that I still seem to have with this spec is that  
> I do not exactly see what benefits over SAML it really has.

What are the benefits of SAML tokens over OpenID tokens? :-)


Johnny

More information about the general mailing list