[OpenID] Infocards [SAML Token] Vs OpenID Infocards [OpenID Token]

[Johnny Bufu]

On 19-Dec-07, at 8:30 AM, Peter Williams wrote:

> The only claim I've ever heard is that library implementors have  
> less work to do parsing an openid msg, in contrast to parsing a xml  
> message (using xerces etc). Thus there is lower start up cost to  
> folks who have no access to a existing saml library (eg that which  
> comes with windows).

Yes, that's one of the main advantages (to which I would add no  
infocard crypto requirements - the OpenID Infocard token is posted in  
clear text to the RP).

> The main analytical difference is, in my view, the application of  
> infocards with async ws-security protocols, where the saml mesg  
> format comes onto its own as it exploits asymmetric security  
> services befitting the connectionless modes of web services.

The OpenID RP validates the message signature by calling the OP  
directly, through either the direct verification call or the (still  
direct) initial association.

This also validates the OpenID "token issuer" (the OP), for which the  
equivalent in the Infocard + SAML case would be the initial (manual?)  
key exchange.


The same OpenID identifier can thus be used across many RPs (if one  
wishes to build reputation around it), a feature which I believe  
cannot be accomplished with the current Infocard + SAML specification  
which strictly enforces the directed identity law.


Johnny