[OpenID] Windows Live ID OpenID CTP Status Update (August 2009)
Peter Williams
pwilliams at rapattoni.com
Sun Aug 30 20:29:22 UTC 2009
http://blogs.sun.com/bblfish/entry/join_the_foaf_ssl_community
When the user logs into such an OpenId provider using foaf+ssl, the OP
having fetched the foaf file to verify identity, find the openid in
that graph, then gets the openid page and verifies that it points to
the foaf file as well as to the OP.
Now that's cute, because the second half is really only a minor variation of what OPs and RPs do today (using HTML metatags and XRD.SEP.localids for cross-domain name mapping). It goes a bit further in the first half, as it also address user auth (by providing a basis for accepting the SSL layers of assertion of uncertified public key as one that actually binds to a webid, that implies an openid, which an OP may now release to the RP as a claimed identifier). (*)
But also note how different it was in application to my conception. I had the foaf+ssl talking to the RP rather than the OP (where the RP which would do all the various mappings, resolvings, and verifying). I shifted the control point (back the way it was in the openid1 world), turning the OP into just one of several transitory intermediaries on the message relay path that separates me the RP from you the user.
Now the nice thing is, that I think both controls models work; and neither excludes the other. Either RP or OP can be applying this sort of thing, or BOTH can. Thus, we address the balance of power issue, addressing the issue of dependency becomes a barrier to adoption. One gets around the confidence problem of dependency, because as an RP one now has built in resilience to failure, and the expectation that of course the RP can ALSO challenge the user directly (using its own run of foaf+ssl).
Peter.
(*) rather than have a third-party sign the foaf file, I'd still like the ssl layer (at RP) to be verifing the digest of the foaf file referenced by the webid (where the hash is in some of other field of the client cert, tied to that foaf file). In this way, the whole system is one of essentially one of an ssl-based, self-assertion of an authenticated foaf file to the RP (making things akin to a self-asserted infocard).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090830/3c2606bd/attachment-0001.htm>
More information about the general
mailing list