[OpenID] ANN: OpenID Information Cards spec and workingimplementation
Johnny Bufu
johnny at sxip.com
Tue Aug 28 22:19:17 UTC 2007
On 28-Aug-07, at 3:11 PM, Peter Williams wrote:
> And yes - when issuing an OpenID Information Card the OP/STS should
> make it clear that it's an "auditing" one (just in case that the
> "auditing" aspect of OpenID is not clear to the Infocard user).
> ---Note to Journalists: a critical difference between OpenID webSSO
> and
> other schemes is that OpenID requires users always accept the
> possibility that the OP will be auditing.
Not to be mean, but you are implying here that *all* other webSSO
schemes are *not* requiring the auditing mode. Which I don't think
it's true and hence the above statement not entirely fair (if it were
written by a journalist).
>> The other problem that I still seem to have with this spec is that
>> I do not exactly see what benefits over SAML it really has.
>
> What are the benefits of SAML tokens over OpenID tokens? :-)
>
> ... one can sign the assertion using RSA; one can verify using public
> key distribution. One doesn't need the verification via https.
And why is this better? Without more details one could easily argue
the opposite for the direct verification case.
> ...If the RP is storing the assertion for records keeping, the SAML
> assertion comes with its own integrity mechanism for record retention.
>
> ...In the case of offloading to a SAML2 server, the receiving SAML
> server does both the signature assertion checking (any https checking)
> and the records retention, locally-encrypting the assertions it stores
> in the records retention stores, as required.
And why wouldn't a similarly-featured OpenID Provider (server) do
exactly the same? These look like nice-to-heave features that are not
really protocol related.
> ...Remember, SAML distinguished between signing the SAML Response
> envelope vs signing the assertion.
>
> ...Does InfoCard's delivery of SAMLTokens require or permit the STS to
> issue (RSA) signed SAML assertions?
Johnny
More information about the general
mailing list