[OpenID] ANN: OpenID Information Cards spec and workingimplementation

Gerald Beuchelt beuchelt at sun.com
Wed Aug 29 00:10:02 UTC 2007 

And now a little more serious:

Johnny Bufu wrote:
>
> On 28-Aug-07, at 12:03 PM, Gerald Beuchelt wrote:
>> If I am reading this correctly, then (one of) the biggest difference 
>> between a SAML payload and an OpenID token is that additional 
>> user-specific communication between the RP and the OP/STS (in 
>> accordance with the OpenID specs).
>
> Yes and no. It's additional only if with a SAML token you don't 
> consider validating the token issuer.
>
Which is the default more for the Infocard system and the only one in 
line with Kim's laws.

> I could say that disclosing the visited site to the STS/OP is 
> justifiable, because that's how OpenID works.
>
> The Infocard technology does allow this (managed cards with auditing 
> mode enabled, and we're requiring it in the OpenID Information Cards 
> spec). While aiming for the most privacy-protecting features, the 
> Infocard specs defines and allows this use case as well.
>
Yes, but if you take a look at least at Kim's blog, you will find that 
he is quite uncomfortable with it:

    /"In other words, with auditing mode, a great deal of trust must be
    placed in the identity provider.  It should only be used in the
    contexts where it is really required."/


That is not exactly a strong endorsement of this more of operation.
>
>> If the OpenID token changes this kind of behavior, this should be 
>> very clearly indicated to the user before he/she can use it.
>
> It doesn't *change* this behavior; it uses this option out of a set.
>
> And yes - when issuing an OpenID Information Card the OP/STS should 
> make it clear that it's an "auditing" one (just in case that the 
> "auditing" aspect of OpenID is not clear to the Infocard user).
>
> Not sure if there are any Infocard UX recommendations here.
>
If not, there should be some.

>> The other problem that I still seem to have with this spec is that I 
>> do not exactly see what benefits over SAML it really has.
>
> What are the benefits of SAML tokens over OpenID tokens? :-)
The ability to not run in auditing mode, for starters.

Best,

Gerry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070828/f210f39e/attachment-0002.htm>

More information about the general mailing list