[OpenID] Where's the added value?
Peter Williams
pwilliams at rapattoni.com
Wed Aug 29 21:20:25 UTC 2007
> While we certainly haven't settled which is better out of the OpenID
> and SAML tokens, you are implying above that SAML is the *best* and
> hence no other possible token type will ever make sense. I hope you
> don't mind if I disagree here.
[Peter Williams]
Let me play an academic, and look for some authorities.
In
http://download.microsoft.com/download/1/1/a/11ac6505-e4c0-4e05-987c-6f1
d31855cd2/Identity-Selector-Interop-Profile-v1.pdf the author clearly
implies additional benefits accrue to (any) asymmetric key token (such
as a RSA-signed SAML1.1 token), and biases the conformance rules and
norms in its favor.
"3.1.2. Type of proof key in issued tokens
An identity selector SHOULD request an asymmetric key token from the
identity provider to maximize user privacy and security if no explicit
key type is specified by the relying party."
More information about the general
mailing list