[OpenID] OAUTH and openid key management. Is key management for authorization the central issue of harmonization?

[Peter Williams]

Is the goal of openid_+ OAUTH considered to be: solve the problem of how can openid perform key management between AC and a __user's__ authorized sets of SPs (using key distribution to explicitly authorize those particular SPs to distribute the user data to an AC)?

If so, there does seem to be the opportunity to repurpose the pairwise Yahoo-style directed-id pseudonym, as a "group shared secret" between several RPs ( 1 AC and certain SPs (acting under the authorization of a specific user  to provide data to the AC))

If anyone wants to collaborate writing this up in private let me know. I'd like to first make SAML assertions and SAML websso protocols perform this role with OAUTH, before judging if there then will to make OpeniD Auth replace SAML2. SAML has mature support for persistent identifiers that can be shared across RP affiliation communities. If it turns out that name-federations can indeed drive OAUTH key management in a UCI environment, then one can see about uses the PAPE signal between OAUTH-SPs and the OP serve as an affiliation group tag - one that controls how directed-id can repurpose ClaimedID pseudonyms as a means of distributing/revoking group authZ keys/capabilities of the kind that the OAUTH community seem to actually use.


I spent the day studying how SAML does RP affiliations, by tagging the request to its OP with  a community tag - trying to conceive of how it would best apply to the downstream network of AC->SPs. This would influence how the likes of Yahoo should be handling their generation of the pseudonyms. If an AC has a co-resident OpeniD RP module, I can see how the affiliation tag (which implies the OP would use a common pseudonym across the affiliation members) should be able to bind ACs to particular SPs in its affiliation group. Now I know Pat is experimenting with a different direction (using OpenID assertions to distribute public keys). I suspect the minting of an affiliation-common pseudonym by an OP would make for a rather better password-distribution mechanism between an AC and the USERS set of SP data source, given the culture of OAUTH today. But, who know!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090110/57cae84e/attachment-0002.htm>