[OpenID] Clarifiction Spec 1.1 v 2.0

Peter Williams pwilliams at rapattoni.com
Fri Jan 4 21:22:20 UTC 2008 

talking or community errata, a little story on how openid is impacting the practice of its older cousin: SAML
 
Playing last year with the openid libraries and having got used to single stepping through source code, I got used to an RP requesting an immediate response of an OP and perhaps having to process a negative assertion. For example, an ajax control on the landing page of the SP, refreshed 61m after SP login via openid, would issue the immediate request: as a result, when no valid (60m expiry) session exists on the OP, a negative assertion is properly returned - without the OP correctly ever invoking any user controls' ... trying to get subject's authorization to re-create one).
 
Having got used to the feature - and it working  correctly and as expected -  I specified an implementation deployment for a customer engagement that applied the SAML equivalent (IsPassive) - only to  find that the SAML vendor only partially supports this and other similar SP-side controls (and obviously the Liberty test suite for Liberty Interoperable compliance don't address the issue, in the lower-end conformance profiles). While the SAML protocol allows several SP-controls (such as IsPassive and AllowCreate) and specifies what an IDP responder MUST do when unable to fulfill the semantics of the protocol control, the vendor didn't enable the likes of me to issue the required (and necessary for formal conformance) "negative assertion" (which in SAML is a SAMLResponse with status-code = notok)
 
Given I was playing with IDP proxying all last year (of which my openidOP->SAML-IDP->openidOP proxies were simplistic but conforming instances, under the SAML standard), I also took a look at how well my vendor supported the OASIS controls on IDP proxying in SAML2 land. I would not say its an openid errata item, but openid2 may have an open design issue on this topic. A study of how SAML2 address the issue of IDP proxying controls may be useful for controlling OP proxying.

________________________________

From: general-bounces at openid.net on behalf of Josh Hoyt
Sent: Fri 1/4/2008 12:21 PM
To: Johnny Bufu
Cc: OpenID List
Subject: Re: [OpenID] Clarifiction Spec 1.1 v 2.0



On Jan 4, 2008 10:41 AM, Johnny Bufu <johnny at sxip.com> wrote:
> > We think Spec 2.0: 11.4.2.2 should include openid.mode
> >
> > Can someone clarify if the spec is wrong or whether it is left out on
> > purpose?
>
> I believe it's an overlook / typo in the v1.1 spec, because:
>
> - there's no need for a mode parameter in direct responses
> - association responses in v1.1 also don't have a mode parameter
> - everywhere else (1.1 and 2.0) direct response parameters are not
> prefixed with "openid."

Johnny's dead on. I mentioned this before with respect to the 2.0
spec, but we should have errata documents for each spec. I created a
wiki page to start collecting the errata for OpenID 2.0 Authentication
[1] and OpenID 1.1 Authentication [2]. Eventually, I'll get around to
filling them in with what I know, but if someone else wants to step up
and start collecting the errata, your efforts would be most welcome.

Eventually, I think we should put them in more official documents, but
I hope this will be an effective way to collect the errata.

j3h

1. http://wiki.openid.net/Errata_-_OpenID_2.0_Authentication
2. http://wiki.openid.net/Errata_-_OpenID_1.1_Authentication
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list