[OpenID] [LIKELY_SPAM]Re: Too many providers and here's one reason
Peter Williams
pwilliams at rapattoni.com
Thu Oct 30 03:32:37 UTC 2008
Does the signed "certificate" (attesting to the fidelity of some attribute value) really need to be "stored" -or can it be signed dynamically, before or during release to the RP?
The model of dynamic signing "attributes" is of course what happens in OpenID's XRI resolution (trusted variety). The format of the "certificate" supporting the attribute happens to be XML (using a funky variant of the SAML tags), and its signed using xmldsig, supported by CA certs.
If the attribute being queried is one managed by an XRI repository, the AX/OP agent could be
(a) Proxying an attribute request in the form of an encoded XRI request, and chaining that request and the response between the XRI agent and the consumer/RP
(b) Obtaining the attribute value (via XRI or other resolvers),and packaging it as the XML response (an XRDS with embedded "SAML-certificate-signatures").
(c) Lookup the attribute value from a simple db, and return the certified form...or certify it on the fly - using XRI's SAML-certificates or X.509 PACs, ...or **any other** form of signed certificate
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of santosh subramanian
Sent: Wednesday, October 29, 2008 5:57 PM
To: general at openid.net
Cc: Michael Hart; Rob Johnson; Shishir
Subject: [LIKELY_SPAM]Re: [OpenID] Too many providers and here's one reason
For example, a dating site might need to verify a user's age before letting them log in. In our solution, one party, which we call the Attribute Provider (AP), provides
a signed certificate that the the user possesses some attribute (e.g. is over 18). This certificate is stored as an attribute at the user's OP, and other RPs can request this certificate when they want to verify attributes of the user.
For the implementation, we have followed the OpenID Signed Assertions
draft: http://www.mail-archive.com/specs@openid.net/msg00907.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081029/76f9ec1a/attachment-0002.htm>
More information about the general
mailing list