[OpenID] FW: Technical Comparison: OpenID and SAML - Draft 06
Joseph Anthony Pasquale Holsten
joseph at josephholsten.com
Thu Jan 24 07:17:15 UTC 2008
On 02008:01:21, at 7:57CST, Peter Williams wrote:
> Intending to speak non-threateningly, I know (as a security
> designer on the dumber end of the know-how spectrum) that I want
> next to investigate SAML2 and its use of NAPTRs. Its in this area
> where there appears a conflict of infrastructure vision between
> openid and SAML2 - one that concerns me.
>
> Openid Auth (over https) is fine as a lightweight websso protocol.
> But, the whole XRD and XRI emphasis conflicts with general IETF
> direction in DNS, NAPTRs, walled-garden ENUM etc. I know for my
> part, I don't yet know how to reconcile these two infrastructure
> visions on resolving names to services, particular the websso
> assurance depend on secure name resolution. I do know I'm
> personally arming a new SAML2 party each week (in US realty), with
> increasingly sophisticated use of the fancier SAML2 features (which
> bodes well for openid2, which the same feature set as SAML in the
> 80% of features that most matter).
What are you refering to about conflicts with the IETF direction? I
haven't monitored IETF work in years, so please excuse my ignorance.
Are you referring to the way XRI extends existing URI infrastructure?
Does non-XRI XRD resolution (nee yadis) overcome these conflicts in
your eyes?
> Whilst we at rapattoni have made a commitment to ensure we can join
> realty's websso infrastructure to the web2.0 world via openid2,
> beyond that limited goal I'm not sure how to characterize what we
> will do with openid. I think it all comes down to SPECIFICALLY how
> the UCI management vision takes off, or not, in such as business
> applications that are building on all the various successful social
> networking practices proven over the last few years.
I wonder, are you implementing openid alongside SAML2? It seems that
most of the SSO uses we've had at my work are best solved with OAuth,
although if the site you're SSOing with acts as an OP, I guess AX
would be sufficient.
http:// Joseph Holsten .com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080124/3eb33aa2/attachment-0002.htm>
More information about the general
mailing list