[OpenID] [LIKELY_SPAM]Re: Combining Google & Yahoo user experience research

Peter Williams pwilliams at rapattoni.com
Sun Oct 19 16:50:57 UTC 2008


SAML2 now has a zero-cost linkup, too - or at least, a particular vendor has one, when talking to itself.

(I view that as a win for OpenID2.  I'm convinced it was done as reaction to OpenId2 design.)


Commentary:

In some ways, what the Ping Identity folks  did in auto-pulling SAML metadata - in the same way that OpenID pulls down an XRDS was an improvement on OpenId2. They addressed the use of email identifiers, frontally, as the metadata locator; and formalized the relationship of https/PKI to the authority distributing the "XRDS". This really didn't go beyond OpenID (which states that trust model issues are handled externally to openID auth while stating "We recommend use of https, folks) but 'security engineered it' rather better, in my view.  I can see the how the Ping Identity solution can address CC criteria, as it maps onto the standard building blocks of functionality and assurance.

If one uses the null ciphersuite option of OpenIDAuth (and dump the OpenID DH mechanism and key wrapping design) and then use the DH ciphersuites of SSL3, one gets something analogous to unsigned SAML message flows over redirects (relying on nonces for end-end messaging anti-replay).

One always has to look carefully at each OpenID and/or SAML2vendor'simplementation tho. The Shibboleth 2.x "vendor" doesn't appear to exploit the anti-replay features of the SAML authnReq protocol, for example.

From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Shane B Weeden
Sent: Sunday, October 19, 2008 9:36 AM
To: Brandon Ramirez
Cc: general-bounces at openid.net; OpenID List
Subject: [LIKELY_SPAM]Re: [OpenID] Combining Google & Yahoo user experience research


Brandon:
> [...]  Why should I trust a random OP?
>

You shouldn't, and nobody is claiming you should for any transaction of value. What does excite me about OpenID (and InfoCard for that matter) over other SSO protocols like SAML is the zero cost of onboarding additional RP's if I am acting as an IDP. All the RP needs to do (besides following a best-practices secure deployment model) is define that they trust the IDP (e.g. for OpenID define a trusted list of OP endpoints) and the IDP need do nothing in particular.

Sure, there are dynamic extensions to SAML like those defined by Shibboleth for dynamic metadata sharing, but out-of-the-box nothing I've been exposed to thus far quite matches the simplicity of the OpenID model.

=shane
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081019/471f973f/attachment-0002.htm>


More information about the general mailing list