[OpenID] Consumers storing data against an OpenID

Peter Williams pwilliams at rapattoni.com
Thu May 22 18:08:26 UTC 2008 

Why?

It's surely a variant of a standard SAML SSO practice, where the confirmation of a subject "attribute" on the next session is based on a previous session.

All I did was now release the (Security) attributes of that previous session to the RP#n to help assure the fidelity of the identity-attribute in question, rather than limiting the release to a single summary fact (confirmation was based on some anonymous "previous" session - whose audit data the RP#n has no access to).

> -----Original Message-----
> From: Dick Hardt [mailto:dick at sxip.com]
> Sent: Thursday, May 22, 2008 10:56 AM
> To: Peter Williams
> Cc: Steven Livingstone-Perez; OpenID List
> Subject: Re: [OpenID] Consumers storing data against an OpenID
> 
> overloading the association is a bad idea IMHO
> 
> On 22-May-08, at 10:20 AM, Peter Williams wrote:
> 
> > Do it.
> >
> > Essentially, let the delivering RP sign the attribute, where both
> > attributes and signatures are stored, where the OpenID Association
> > is the signing mechanism.
> >
> > Academically, we are saying that the OpenID Association that "signs"
> > the attribute delivered by RP#1 to the AX resolver can be "referred
> > to" when the OP/AX then makes statements about attributes to RP#2,
> > over another OpenID Association.
> >
> > So, don't tag the attribute with its "source", merely: tag it with
> > the value(s) of the OpenID Association that delivered it to the
> > Attribute store. Let a requesting RP#2 now ask for meta-attributes
> > about the attribute if it wishes - all the parameters of the
> > delivering OpenID Association.
> >
> >> -----Original Message-----
> >> From: general-bounces at openid.net [mailto:general-
> >> bounces at openid.net] On
> >> Behalf Of Dick Hardt
> >> Sent: Thursday, May 22, 2008 9:06 AM
> >> To: Steven Livingstone-Perez
> >> Cc: 'OpenID List'
> >> Subject: Re: [OpenID] Consumers storing data againat an OpenID
> >>
> >> Attribute Exchange was intended for an RP to store data that would
> >> useful to other RPs.
> >>
> >> If there is sufficient interest in the use case that Steven has
> >> brought up, AX could be extended so that data stored is tagged with
> >> its origin and then provided back to the RP when the user logs in
> >> again in the future. For small sites, this has the advantage of
> being
> >> able to outsource local attributes.
> >>
> >> -- Dick
> >>
> >> On 22-May-08, at 3:14 AM, Steven Livingstone-Perez wrote:
> >>
> >>> Thanks Jorn - yes you are right about protecting "local" attributes
> >>> so that
> >>> it isn't shared amongst bodies (that is a whole new discussion).
> >>>
> >>> I will need to look more into the attribute exchange
> today/tomorrow.
> >>>
> >>> The reason it is useful at the IP is simply for convenience for
> RP's
> >>> who
> >>> want to store attribute information against the ID's but don't want
> >> to
> >>> modify their local schema. An IP durable bucket would be very
> >>> useful.
> >>>
> >>> Regards,
> >>> Steven
> >>> http://weblivz.openid.org
> >>>
> >>> -----Original Message-----
> >>> From: general-bounces at openid.net [mailto:general-
> bounces at openid.net]
> >>> On
> >>> Behalf Of Jørn Wildt
> >>> Sent: 22 May 2008 09:55
> >>> To: 'OpenID List'
> >>> Subject: Re: [OpenID] Consumers storing data againat an OpenID
> >>>
> >>>> this has already being
> >>>> considered under OpenID Attribute Exchange
> >>>
> >>> But does Attribute Exchange take the origin into account? It's much
> >>> like
> >>> cookies - if site A stores attribute X at the IP, will site B then
> >>> get the
> >>> attribute?
> >>>
> >>> Should it? In this example it is some local school information. But
> >>> what if
> >>> I used the same OpenID at both CIA and Al-Quaeda? Then I probably
> >>> wouldn't
> >>> want my CIA spyname sent to Al-Quaeda just because CIA found it
> >>> convenient
> >>> to store it at the IP.
> >>>
> >>> It seems to me that local data should be stored at the RP only - it
> >>> has
> >>> nothing to do at the IP.
> >>>
> >>> Or have I missed something?
> >>>
> >>> /Jørn
> >>>
> >>> -----Original Message-----
> >>> From: general-bounces at openid.net [mailto:general-
> bounces at openid.net]
> >>> On
> >>> Behalf Of Prabath Siriwardena
> >>> Sent: 22. maj 2008 10:47
> >>> To: Steven Livingstone-Perez
> >>> Cc: general at openid.net
> >>> Subject: Re: [OpenID] Consumers storing data againat an OpenID
> >>>
> >>> If I correctly understood your question - Yes - this has already
> >> being
> >>> considered under OpenID Attribute Exchange [1].
> >>>
> >>> Thanks & regards.
> >>> - Prabath
> >>>
> >>> [1]: http://openid.net/specs/openid-attribute-
> >>> exchange-1_0.html#store
> >>>
> >>> On Thu, May 22, 2008 at 1:43 PM, Steven Livingstone-Perez
> >>> <weblivz at hotmail.com> wrote:
> >>>> Has it ever been considered that a consumer of an OpenID may wish
> >>>> to store
> >>>> some attributes data against that user?
> >>>>
> >>>>
> >>>>
> >>>> In other words rather than storing it locally (and doing the work
> >>>> required
> >>>> to achieve this) a trusted consumer may have "write" abilities
> >>>> which would
> >>>> allow them to store some information important only to them
> against
> >>>> the
> >>>> OpenID?
> >>>>
> >>>>
> >>>>
> >>>> For example you may log in and be directed to a site who may wish
> >>>> to store
> >>>> the local username they use for you with the OpenID so they can
> get
> >>>> it as
> >>>> one of the attributes next time - or (as someone recently asked
> me)
> >>>> store
> >>>> the local school they are to be associated with under their
> domain.
> >>>>
> >>>>
> >>>>
> >>>> Regards,
> >>>>
> >>>> Steven
> >>>>
> >>>> http://weblivz.openid.org
> >>>>
> >>>> _______________________________________________
> >>>> general mailing list
> >>>> general at openid.net
> >>>> http://openid.net/mailman/listinfo/general
> >>>>
> >>>>
> >>> _______________________________________________
> >>> general mailing list
> >>> general at openid.net
> >>> http://openid.net/mailman/listinfo/general
> >>>
> >>> _______________________________________________
> >>> general mailing list
> >>> general at openid.net
> >>> http://openid.net/mailman/listinfo/general
> >>>
> >>> _______________________________________________
> >>> general mailing list
> >>> general at openid.net
> >>> http://openid.net/mailman/listinfo/general
> >>>
> >>>
> >>
> >> _______________________________________________
> >> general mailing list
> >> general at openid.net
> >> http://openid.net/mailman/listinfo/general
> >
> >

More information about the general mailing list