[OpenID] cryptographics web of trust

[Peter Williams]

> Just some thoughts. Anyway, thanks for helping me get some foothold
> in this space... I still have a lot to learn. Is there a place that
> explains SP-affiliation well...
> 
> Henry

SAML spec is rather like the RDF/RDFS/OWL specs: it makes the obvious
into the pretentious. At the same time, both exploit formalisms so
systems using them are eventually highly effective. The intended use
models become easy to exploit through the language itself.

SP-affiliation says: if (a) I rely on your assertion and I thus give you
a local name, then (b) others may rely on me to have provisioned this
localname which they will also use.

So (a) relies on the assertion
So (b) other SPs relies on the name-provisioning of the first relying
party.

I expect SP-affiliation to be big news in realty, for reasons that are
entirely commercial.

SAML has several naming-making models that control privacy when making
name-based assertions. It allow such as trackingless assertions,
pseudononymous assertions, and plain simple blob assertions. You can
also define your own assertion "privacy" regimes, using the so called
NameID protocol built into the "simple" SAML req/resp.

--------------

In Microsoft windows, there has been an SP-affiliation "process" for SSL
client certs for years. Once the client client arrives at the (a)
relying IIS server which validate SSL integrity etc, it maps the
cn=peter value into a particular SID using a rulebase (b) when a thread
spawns to perform an incoming web svc the OS lets the thread impersonate
the SID because its relying on the SID-making power of the kernel module
that did SSL/mapping.