[OpenID] Trust + Security @ OpenID

Johnny Bufu johnny at sxip.com
Tue Jul 10 21:52:06 UTC 2007 

On 10-Jul-07, at 2:10 PM, Peter Williams wrote:

>> With Attribute Exchange [1], RPs can request (and enforce if they
>> choose to) whatever proof attributes they need, originating from  
>> third
>> parties they choose to trust.
>
> Ive never seen that particular proof semantics attached to the  
> attribute exchange, before.
>
> In more specs using mofre formal-language (i.e. SAML) an attribute  
> is either delcared to be an authenticationStatement (perhaps, a  
> "proof grade" statement), or declared to be other than... an  
> authenticationStatement.
>
> I had also not picked up from the spec that non Authentication- 
> grade attributes could be obtained from arbitary third parties,  
> operating OpenID Exchange Listerers and Agents.

The AX spec does not place any constraints on the attribute type URI  
or the attribute values, so yes, attributes can be anything. From the  
overview section:

"An attribute is a unit of personal identity information that is  
identified by a unique URI. It may refer to any kind of information.  
A reference example of defining attribute types is provided by  
[OpenID.axschema]."


> In OpenID2, there was the implication that the OP was the supplier  
> of such attributes, using the OpenID Exchange protocol; and, there  
> was a means to subclass such OPs, for the different types of  
> attribute sets to be supplied.

Yes, the OP is the repository of they user's attributes and supplies  
them to RPs. It doesn't have to also be the issuer of each  
attribute's value (except of course, the 'authentication' attribute  
associated with the OpenID identifier for which it is authoritative).


> Now, the big question is...does the architecture of OpenID2  
> envision that "Attribute Authories" offering OpenID Exchange  
> endpoints,  can complete the associated Exchange protocol in the  
> absence of the user having completed OpenID Authentication with  
> that very same AA (when, obviously, using its co-resident OP  
> endpoints)?

OpenID Attribute Exchange is an OpenID extension, which is  
'transported' on top of an OpenID Authentication message. So a  
authentication transaction would have to take place.

Now.. OpenID2 allows for openid.identity / openid.claimed_id to be  
optional, but we haven't defined how exactly that should work.

Do you have a specific use case in mind? If yes I would be interested  
to know it.


Johnny

More information about the general mailing list