[OpenID] Proxying (with OpenSocial) through experimental.openid.net to promote OpenID
Peter Williams
pwilliams at rapattoni.com
Mon Aug 10 19:51:33 UTC 2009
Using a relay/proxy to do last-mile integration (for consumer sites that dont want to adopt some standard natively), is pretty traditional in the websso world. Wars over who is an appropriate TTP to play this role also have a long history. The properties and policy disclosures of TTPs about how they store/abuse private data are well-understood. Its all a minor variety of the 50 year old outsourcing business. The investment community even has a category for these businesses : service bureaus (into which category folks like TTP CAs fit). Openid service brokers are just another minor variant.
I dont focus on the world of token translators (from openid -> saml2 - ws-fed) - as thats a well established market for value-adders. The recent Google Apps announcement exploited this practice, where the ping identity server announced as part of the program is conceived in exactly that proxying role: so that a SAML2-powered Google Apps domains can receive assertions from openid-powered Google Apps domains, once translated by the relay.
Ive been focusing on the control plane rather than the communciations plane, in my R&D - addressing the role of policy enforcement. Rather than openid IS (intermediate) or ES (end) systems simply using the hosted xdi.net XRI proxy, I see the same site using such as my build of a "walled-garden" xri proxy (hosted by some outsourcer, or the endsystem itself). It performs openid discovery with the likes of Google (addressing their experimental standards, and dealing with their PKI-centric control paradigm), and rewrites their XRD. So the openid consumer of discovery data is freed from the PKI-based control plane, I resign the XRD. On the last mile hop between xri proxy and consumer discovery initiator, I'm simply use an xmlenc wrapper, using a symmetric key shared with the proxy user to deliver data origin authentication service over the XRD datum to the intended recipient.
So, just as one does interface-proxying to dis-intermediate an IDP from the RP (as tokens trundle along the various service busses), so one dis-intermediates the provider of the discovery-based control plane. I argue that the latter is MUCH more important.
ive got the openxri.org proxy working fine, resigning XRDs. I just need to now complete its memory-based data store (removing the reliance on db storage) - so it can be hosted in the java Google Apps containers of your average Google Apps domain. The proxy can perform the (licensed) google/experimental discovery protocol, manage the issues of PKI/CA trust and PKI validation according to the proxy requestors policy requirements for reliance, get to the meat (the XRDs), cache the XRDs from XDI.ORG registered and community authorities, and then resign those datums in the cache as proxy requests come in from the openid-powered RP sites. One resigns according to the requirements of the target security domain (vs the idp's security domain), where resigning may be as simple or complex use of xmldsig/xmlenc as one sees fit.
Now we are getting to what openid is all about! It's not only about token service brokers ... but DISCOVERY brokering (aka outsourced trust networking). The transport/token proxying will commodizie VERY rapidly. The trust networking/brokering market space is only just starting!
________________________________________
From: openid-general-bounces at lists.openid.net [openid-general-bounces at lists.openid.net] On Behalf Of SitG Admin [sysadmin at shadowsinthegarden.com]
Sent: Monday, August 10, 2009 12:06 PM
To: David Recordon
Cc: openid-general at lists.openid.net
Subject: Re: [OpenID] Proxying (with OpenSocial) through experimental.openid.net to promote OpenID
>Rather, usage of this sort of proxying shows a userbase's desire to
>have their accounts OpenID enabled to log in elsewhere.
>
>I would never want to see the OpenID Foundation run an OpenID
>Provider/Proxy for wide usage. We should instead be creating a
>healthy ecosystem with plenty of providers and consumers.
Agreed. I was trying to come up with a way for users to subvert their
social networking site's decision to ignore OpenID, then leverage
their existing placement in the site's network to start a movement of
long-time users bugging the admins for OpenID support. I don't think
the first is really possible, though I am having some more thoughts
on the second. It wouldn't have been very useful without attractive
features on the RP's side, which we don't have much of yet - when
there are a lot of things that can be done with OpenID (not just
create an account elsewhere and use it to log in there, prefilling
profile data, but intercommunication), it'll be easier for users to
get excited.
-Shade
_______________________________________________
general mailing list
general at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
More information about the general
mailing list