[OpenID] Security related Use Cases?
Paul Madsen
paulmadsen at rogers.com
Wed Oct 22 11:59:07 UTC 2008
Unless with something like SAML's (nascent) Holder of Key profile
http://www.oasis-open.org/committees/download.php/29426/sstc-saml-holder-of-key-browser-sso-draft-07.pdf
Client authenticates directly with a cert to the SP, but that SP still
'relies' on the SAML assertion from the IDP
paul
Ben Laurie wrote:
> On Wed, Oct 22, 2008 at 4:18 AM, Dick Hardt <dick at sxip.com> wrote:
>
>> I would guess Ben is talking about authentication to the RP
>>
>
> Actually, I meant any authentication - what does authentication to the
> RP mean, anyway? If I am authenticating to it directly, then it isn't
> an RP, right?
>
>
>> -- Dick
>>
>> On 21-Oct-08, at 7:52 PM, Allen Tom <atom at yahoo-inc.com> wrote:
>>
>>
>>> OpenID does not specify how the user authenticates with their OP, so OPs
>>> which support hooks for client side authentication seem to address your
>>> concerns.
>>>
>>> Allen
>>>
>>> Ben Laurie wrote:
>>>
>>>> So if we're going to embark on a UX consistency campaign, should we
>>>> not do it around authentication that actually is safe - that is:
>>>>
>>>> a) Built in to the browser, s.t. it can't be faked by webpages
>>>>
>>>> b) Does not reveal the user's password in the process of authentication?
>>>>
>>>> Continuing to try to prop up the house of cards that is authentication
>>>> on webpages seems counterproductive to me.
>>>>
>>>>
>
>
>
--
ConnectID <http://feeds.feedburner.com/%7Er/blogspot/gMwy/%7E6/1>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081022/90ce6fc3/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gMwy.1.gif
Type: image/gif
Size: 8035 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081022/90ce6fc3/attachment-0002.gif>
More information about the general
mailing list