[OpenID] ANN: OpenID Information Cards spec and workingimplementation

Peter Williams pwilliams at rapattoni.com
Tue Aug 28 22:11:05 UTC 2007


And yes - when issuing an OpenID Information Card the OP/STS should  
make it clear that it's an "auditing" one (just in case that the  
"auditing" aspect of OpenID is not clear to the Infocard user).


--- Summary:

---Note to Journalists: a critical difference between OpenID webSSO and
other schemes is that OpenID requires users always accept the
possibility that the OP will be auditing.




> The other problem that I still seem to have with this spec is that  
> I do not exactly see what benefits over SAML it really has.

What are the benefits of SAML tokens over OpenID tokens? :-)



... one can sign the assertion using RSA; one can verify using public
key distribution. One doesn't need the verification via https. 

...If the RP is storing the assertion for records keeping, the SAML
assertion comes with its own integrity mechanism for record retention.

...In the case of offloading to a SAML2 server, the receiving SAML
server does both the signature assertion checking (any https checking)
and the records retention, locally-encrypting the assertions it stores
in the records retention stores, as required.

...Remember, SAML distinguished between signing the SAML Response
envelope vs signing the assertion.

...Does InfoCard's delivery of SAMLTokens require or permit the STS to
issue (RSA) signed SAML assertions?



More information about the general mailing list