[OpenID] FW: Technical Comparison: OpenID and SAML - Draft 06

Drummond Reed drummond.reed at cordance.net
Thu Jan 24 20:13:31 UTC 2008 

+1. To make it even easier to access, links to all the key current specs
from the XRI TC are also maintained directly on the TC home page,
http://www.oasis-open.org/committees/xri/. The two current specs are:

 

            XRI Syntax 2.0 Committee Draft 02:

            http://www.oasis-open.org/committees/download.php/15377

 

            XRI Resolution 2.0 Committee Draft 02 

 
http://docs.oasis-open.org/xri/2.0/specs/cd02/xri-resolution-V2.0-cd-02.pdf

 

Since reading specs is often not the best way to get questions answered ;-),
the XRI TC just discussed this morning creating a new, non-normative
document, "Best Practices for Using XRI and XRDS with OpenID" that will help
answer lots of questions about XRI and XRDS usage that are coming up in
OpenID 2.0 implementations (mostly on the RP side). John Bradley is leading
this effort. I cc'd him. Let us know if you'd like to be involved.

 

=Drummond 

 

  _____  

From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Gabe Wachob
Sent: Thursday, January 24, 2008 11:19 AM
To: Peter Williams
Cc: openid-general
Subject: Re: [OpenID] FW: Technical Comparison: OpenID and SAML - Draft 06

 

Peter-
   OASIS specs (drafts too, usually) are published publicly and for free.
You can find the XRI TC docs at:
http://www.oasis-open.org/committees/documents.php?wg_abbrev=xri 
 
   If you have any issues accessing documents, you can email me personally. 

    -Gabe



On Jan 24, 2008 11:12 AM, Peter Williams < pwilliams at rapattoni.com
<mailto:pwilliams at rapattoni.com> > wrote:

2 questions:

Q1. how does XRI/XRD conflict with ENUM/NAPTR and IETF-style provisioning of
name and service records in DNS 


A1: You have not read IETF stuff, and I have not read XRI stuff (because it
costs money to read even a draft OASIS standard). We are kind of stuck in a
deadlock. Thus, I go with the IETF stuff, expressed particular in ENUM. 

- The basic YADIS approach (read an XRS stream from an http endpoint) seems
like a temporary hack, in the big scheme of things. Going XRI native or XRI
proxies is a blind alley for me, personally, right now (as im ignorant of
what it all means, ultimately) 

- walled garden ENUM (where the walled-garden variant was a hard won battle
in IETF, note) shows how reliance in openid could be walled off, without
forcing the walling procedures to use protocol level security controls
(encryption etc) or qualified namespaces. 



Q2. how can openid2 and SAML2 cooperate (within the SAML2 proxying model and
nameid-qualification/autocreate model)

A2: OpenID2 (likes SAML2) assumes matters of qualified naming and account
subscription/provisioning are handled as local matters - using some or other
backend (probably legacy) system. We happen to have fronted our proprietary
stuff (that covers about 85% of realty's 2.5 million current or recently
expired accounts) with SAML endpoint - saying to the world: ok! stop whining
about relaty proprietary legacy systems: here is an open interface. Get on
with it. You have naming protocols, encryption protocols, assertion
protocols, now even attribute query protocols. When I finally get my head
around SAML+XACML, we will add authorization protocols via PEPs/PDPs/PAPs. 

We are perfectly happy for openid2 protocol engine to be either a downstream
or upstream SAML/legacy proxy (in the formal SAML IDP proxying model). You
want to talk to realty via openid protocols..? Wonderful. Here is how (not
that you really need to know) it maps onto realty's open SAML interfaces so
we can realize your desire. In certain advanced cases, the openid relying
party will have business rules that DEMAND that it knows about what proxying
went on, and with whom. So, we will have to "emulate" certain SAML signals
as AX attributes, probably. Or, openid3 will do it properly. 

Peter (speaking for Rapattoni, not various other realty systems vendors or
NAR).






________________________________

From: Joseph Holsten on behalf of Joseph Anthony Pasquale Holsten 
Sent: Wed 1/23/2008 11:17 PM
To: Peter Williams
Cc: Drummond Reed; openid-general
Subject: Re: [OpenID] FW: Technical Comparison: OpenID and SAML - Draft 06



On 02008:01:21, at 7:57CST, Peter Williams wrote: 

       Intending to speak non-threateningly, I know (as a security designer
on the dumber end of the know-how spectrum) that I want next to investigate
SAML2 and its use of NAPTRs. Its in this area where there appears a conflict
of infrastructure vision between openid and SAML2 - one that concerns me. 

       Openid Auth (over https) is fine as a lightweight websso protocol.
But, the whole XRD and XRI emphasis conflicts with general IETF direction in
DNS, NAPTRs, walled-garden ENUM etc. I know for my part, I don't yet know
how to reconcile these two infrastructure visions on resolving names to
services, particular the websso assurance depend on secure name resolution.
I do know I'm personally arming a new SAML2 party each week (in US realty),
with increasingly sophisticated use of the fancier SAML2 features (which
bodes well for openid2, which the same feature set as SAML in the 80% of
features that most matter). 


What are you refering to about conflicts with the IETF direction? I haven't
monitored IETF work in years, so please excuse my ignorance. Are you
referring to the way XRI extends existing URI infrastructure? Does non-XRI
XRD resolution (nee yadis) overcome these conflicts in your eyes? 




       Whilst we at rapattoni have made a commitment to ensure we can join
realty's websso infrastructure to the web2.0 world via openid2, beyond that
limited goal I'm not sure how to characterize what we will do with openid. I
think it all comes down to SPECIFICALLY how the UCI management vision takes
off, or not, in such as business applications that are building on all the
various successful social networking practices proven over the last few
years. 


I wonder, are you implementing openid alongside SAML2? It seems that most of
the SSO uses we've had at my work are best solved with OAuth, although if
the site you're SSOing with acts as an OP, I guess AX would be sufficient. 

http:// Joseph Holsten .com




_______________________________________________
general mailing list
general at openid.net  <mailto:general at openid.net> 
http://openid.net/mailman/listinfo/general




-- 
Gabe Wachob / gwachob at wachob.com \ http://blog.wachob.com 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080124/003c6c0a/attachment-0002.htm>

More information about the general mailing list