[OpenID] Trust + Security @ OpenID

Eric Norman ejnorman at doit.wisc.edu
Tue Jul 10 12:50:51 UTC 2007 

On Jul 9, 2007, at 3:39 PM, Johnny Bufu wrote:

>
> On 8-Jul-07, at 7:13 PM, Eric Norman wrote:
>
>> 3.  Can I, as an RP, have independent testimony about the accuracy of
>> these statements
>> (claims)?   That's what an IdP provides.  An IdP consults the records
>> it maintains about
>> someone and provides testimony in the form of statements that reflect
>> what's in those
>> records.
>>
>> I think that's one of the main reasons that some in the OpenID
>> community prefer to use
>> the term OP instead of IdP.  There is really no mechanism by which an
>> OP can provide
>> independent testimony.
>
> The OP may not be able to be the source of such statements, but the 
> OpenID framework (core protocol and extension) allow this.

Right.  I was wrong.  I should have had my brain engaged.

> OpenID Authentication performs the exchange of the authentication 
> attribute.
>
> With Attribute Exchange [1], RPs can request (and enforce if they 
> choose to) whatever proof attributes they need, originating from third 
> parties they choose to trust. In order for the trust verification to 
> be possible, Signed Assertions [2] can be used. It is then up the the 
> users / OPs to acquire the proofs needed to satisfy RPs' requirements.
>
> This can be done today with OpenID, still in a decentralized way but 
> this time trust is RP-centric.
>
> Johnny
>
> [1] http://openid.net/specs/openid-attribute-exchange-1_0-05.html
> [2] http://www.mail-archive.com/specs@openid.net/msg00907.html

Nevertheless, as for (2), it sure does seem to me that if an extant
SAML 2.0 profile isn't suitable, then it would be best to engage and
work with the SAML folks and come up with a profile or SAML 2.1 that
is suitable for everyone.  Creating a tower of Babel out of something
as simple as languages/encodings/representations sure doesn't seem
like a very good way to go.

Yes, there's that WS-* stuff too.  Maybe we should lock everyone
in a room with lots of beer and pizza until they come out with
WS-SAML or something like that.

Eric Norman
http://ejnorman.blogspot.com

More information about the general mailing list