[OpenID] Too many providers... and here's one reason
Peter Williams
pwilliams at rapattoni.com
Tue Sep 16 16:46:26 UTC 2008
So I hear infocard folks noting that claims can be tansformed by a cascade of sts (each of which add increasingly rp centric value, perhaps testing for membership agin some db).
Had not heard the notion of there being a set of assertions in the core model, however, or a chain of assertions. Such would obligates the rp to start doing (complex) path processing, of course like certs or ospf spf math.
Might aswell use x509 pacs and dynamic pac issuing, at this point. Standard already exists. One could serialize the asn.1 pacs in xml if one wants, rather than binary. The core standard doesn't (really) care about bit formats, so long a canocialization issues are addressed (by such as xml dsig). Pacs aleady work fine in ssl (via the saml wrapper in the client auth msg of tls 1.2)
-----Original Message-----
From: Dick Hardt <dick.hardt at gmail.com>
Sent: Tuesday, September 16, 2008 8:49 AM
To: Andrew Arnott <andrewarnott at gmail.com>
Cc: Peter Williams <pwilliams at rapattoni.com>; general at openid.net <general at openid.net>
Subject: Re: [OpenID] Too many providers... and here's one reason
On 15-Sep-08, at 6:06 PM, Andrew Arnott wrote:
> You know on second thought, perhaps OAuth is appropriate. The
> 'protected resource' in this case is my membership status. And
> while creating my account at the RP, I can check a box saying "you
> may check my membership at org xyz", which will cue the RP that it's
> worthwhile to redirect me to that site using OAuth to verify
> membership.
This works if the RP knows the address of where to check for
membership status. A more resilient and flexible model separates the
claim from where to get the claim so that the RP does not care where
the claim comes from, just that it got the claim.
Frankly, InfoCards solve your problem better then OAuth and OpenID
today.
-- Dick
More information about the general
mailing list