[OpenID] Multiple Domains and State

Peter Williams pwilliams at rapattoni.com
Thu Apr 24 16:20:38 UTC 2008 

A realm of *.com is only bad practice if one is equating openid realms with cn wildcards in ssl server certs, or more formal per recipient tokens enforced with crypto ad attribute matching logics. As openid has little mainstream practice, its hard to say what is good or bad.the jury has not even been called, let along sat to hear the evidence.

If we look at openid realms, it not obvious that the construct is an authorization control - guarding what rps may accept. I would not concur either that realm is to op what realm is to the trust model in the nt activedirectory for example, augmenting crossforest trust practices to cooperate with other kerberos realms. Rather realm seems to being used (and who knows with openid!) the 'notice of intended scope' by rp to user, in the law#4 sense, enabling the user to then give notice of the limits to which the notice of an expectation of privacy is being waived. In xacml speak, its a obligation passing.

This is all fitting quite nicely with a theory of reliance.

-----Original Message-----
From: Nate Klingenstein <ndk at internet2.edu>
Sent: Thursday, April 24, 2008 7:34 AM
To: Trey Long <trey at propeller.com>
Cc: general at openid.net <general at openid.net>
Subject: Re: [OpenID] Multiple Domains and State

Trey,

> I apologize but the language of the spec (9.2) from a standpoint of  
> speculation is hard to follow. I can't quite grasp how realms would  
> facilitate the task at hand. Also I would assume auth.com is a  
> trusted resource of some kind which is given permission to act as a  
> proxy from which openId authentication occurs from.

Using realms as in 9.2, you could ask openid.com to issue an  
assertion that was valid at both auth.com and end-domain.com by using  
appropriate wildcarding.  Then, auth.com could just forward the  
assertion along unmodified and end-domain.com could accept it.  The  
trouble is, issuing a *.com assertion is extremely bad practice, so  
you need either a lot of commonality in domain names, a real trust  
fabric, or, preferably, both.

Appreciate your patience through my long-winded explanations,
Nate.

More information about the general mailing list