[OpenID] Attribute Exchange proposal and verified attributes in action

Dick Hardt dick at sxip.com
Fri Jan 19 00:15:51 UTC 2007


We demoed this at IIW back in early December, and realized people on  
this list might be interested in seeing it first hand.

Apologies if you don't care about Attribute Exchange, but thought  
there is nothing like seeing something for real to make things clear.

The demo shows self asserted attribute exchange, verified attribute  
exchange (both fetch and store).

Here are the steps

	1) you need to install Sxipper (since it is the only OP we know of  
that supports the OpenID Attribute Exchange draft)
			http://www.sxipper.com (you will need to be running Firefox -- 2.0  
is best -- http://firefox.com)

	2) goto https://verify.sxip.com/email/

	3) select your public identifier and release an email address

	4) you should get an email with a verification link in it, click on  
the link (or copy and paste it into Firefox if it is not your default  
browser)
		
	5) you will login again so that we know it is still you
	
	6) you will then be prompted to store the verified email assertion  
back with your OP (Sxipper in this case)
		(If you had other OpenIDs you would like associated with the email,  
then you could do that, but you can't now)

	7) goto https://verify.sxip.com/demorp/ to use the verified email

	8) loginto the demo RP to see attributes being released as well as  
the SAML assertion

	9) once logged in, you can show the assertion.

Inside the SAML assertion you will see that the Subject is your OpenID:

...
<Subject>
       <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid- 
format:entity">https://dick.sxipper.com/</NameID>
</Subject>
...

And the attribute name and value:

...
<Attribute
	Name="http://schema.openid.net/contact/emailHash" 	
	NameFormat="urn:oasis:names:tc:SAML:2.0:profiles:attribute:uri">
         	<AttributeValue>cbfe384c7dca8f304b75112355c046f7b5684a10</ 
AttributeValue
</Attribute>
...

Note the value is a hash of your email address, not your email  
address. This way you can prove you have a specfic email address  
without actually disclosing your email address. Since you can provide  
your email address unverified, the two together allow you to share  
your email address and prove that you own it.

Hopefully this is useful for some of the discussions that have been  
happening on the list.

Any feedback on how SAML was used or the overall flow would be  
appreciated, although that is best done on the specs at openid.net list.

-- Dick



More information about the general mailing list