[OpenID] OpenID attribute exchange question

[Peter Williams]

Lets say I'm an RP site that syndicates versions of folks' (unsigned) FOAF Files.
 
User does websso via openid2.0 to this RP site and the RP site uses AX to request claims according to the FOAF names for attributes (as its entitled). Obviously, the AX resolver is responsible (as a pseudo-STS) to map these using its local knowledge that bind names/types used by the RP to the names/types of the attribute authority(s) that AX protocol connects it to. Perhaps the RP site takes the LiveJournal FOAF Feed and adds in AX-delivered values from the public Google megacrawl/aggregation, as alternative (but accuracy-dubious) foaf file attribute values. The RP then establishes itself as an attribute authority of course, allowing another AX resolver associated with some other OP to present the data to yet another community of relying parties who really despise FOAF and love YANS (yet another naming scheme = e.g. US Realty's "standard" names for the same stuff). Et Cetera, recursively.
 
In the sxip-proposed openid/cardspace integration, the claims mapped from a cardspace SAML1.0 blob (whose issuer is (surely) formally an "attribute authority", since the claims are signaled using the SAML format's element for attribute statements - vs authorizations statements) into the openid AX resolver are not merely name/value pairs: they are defined (*) authorization claims subject to authorization policy and RP trust management. Lets never forget that a cardspace self-issued card's claim "sic:surname=Williams" is really an implied authorization assertion: the right PossessProperty to access a resource (a string = "Williams", denoted as the implied-authorization claim: http://schema.xmlsoap.com/ws/2005/05/identity/claims/surname. Surely we can assume that AX (absent the sxip profile that makes AX work with cardspace) is generally a framework for "authorization" and "trust" signaling schemes, as necessarily interpreted/evaluated by RPs.
 
(*) http://www.pluralsight.com/blogs/tjanczuk/archive/2006/06/15/27746.aspx, with support in figure 1 http://www.cs.virginia.edu/~humphrey/papers/GridFTP_SecPAL_2007.pdf
 
So, unlike sreg (which is a simple - get some registration wizard values for provisioning RP-side accounts by form filling values maintained by the sxip plugin), the full AX protocols would seem Not to require standardization of authorization claims. IT would seem that any standardization of such claims would defeat the very purposes of the AX protocol - which presumably exists to *always* _map_ claim names/semantics, as they cross attribute management-domains/security-domains.
 
Just guessing. As always, the openid2 protocol specs are largely devoid of rationale and security architecture.

________________________________

From: general-bounces at openid.net on behalf of Chris Meyer
Sent: Fri 2/1/2008 2:20 PM
To: general at openid.net
Subject: [OpenID] OpenID attribute exchange question


What is the "official" schema for the attribute exchange? 

I notice that www.axschema.org <http://www.axschema.org/>  defines several attributes; but they don't work on myopenid.com <http://myopenid.com/> .