[OpenID] openid 2.1 and geneva - XRI?

Sun May 17 16:47:57 UTC 2009

By the way, just for the record Peter, I understand about 12% of your posts
considering all the acronyms that you use.
Is there an index that I could use to expand the acronyms you use in your
emails?

Chris

On Sat, May 16, 2009 at 3:14 PM, Peter Williams <pwilliams at rapattoni.com>wrote:

> There is absolutely nothing in the following resources that refers to
> openid(2). But lets imagine MSFT was going to plugin in openid auth to the
> Geneva framework (along with all the other largely equivalent websso
> protocols)
>
>
> http://blogs.msdn.com/card/archive/2009/05/12/what-s-new-in-geneva-beta-2.aspx
>
>
> http://blogs.msdn.com/card/archive/2008/11/04/microsoft-geneva-framework.aspx
>
> The (postulated) things I'd find most interesting would be, given their
> impact on the relevance of openid in an enterprise deployment:-
>
> integration with the AD-RMS server. If used much as RMS is used via ike
> certs to create ipsec segmentation worlds in NAC environments, openid RPs
> could be benefitting from claims that are in fact RMS-issued short-lived
> certs (describing the health compliance of the PC to the RP). Rather than RP
> worry about password age, it simply processes the health cert (whose issuing
> policy addresses that compliance issue).
>
> mapping of openid claims onto windows tokens (allowing for onward
> delegation). This would be variant of what's being done for SAML2 account
> linking. Obviously, those tokens want to convey the health stading of the
> clients, so as not to contaminate more trusted networks
>
> the HA and FT architecture, probably based on AD multi-mastering, locator
> protocols, site replication etc. I.e. what would happen when openid is used
> in an enterprise context and an app must locate the openid federation
> gateway nearest to it, given the publication of its transformation
> capabilities
>
> Will there be a token handler for openid auth, much as there is for saml,
> secure sessions for web services, kerberos tokens, etc? If nothnig else,
> openid auth mac'ed assertion blog can be regarded as just another binary
> blob.
>
> The use of UPN claims, allowing the federated trust model to support websso
> - as the RP must be AD-powered - so it can evaluate the binding of the UPN
> to the ldap URI (or a gc URL, or [logically] an http openid URL).
>
> Geneva implements SP-lite (which include mandatory support for logout).
> Would openid ath 2.1 have to match this minimum?
>
> ----
>
> does anyone have any blog-style pointers about Microsoft future directions
> and XRI 2.0 resolution - probably on a AD-related list?
>
> Will be intresting to see if MSFT creates a world of standalong XRI
> servers, much as it distinguishes between AD LDS naming contexts apps run
> for themselves, vs the naming contexts managed by DCs supporting the Windows
> Network. Id see this as a boon for openid RP webapps, if it were to happen -
> partcularly when supporting delegation/portability-powered openid
> communities.
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>

-- 
Chris Messina
Open Web Advocate

factoryjoe.com // diso-project.org // openid.net
This email is:   [ ] bloggable    [X] ask first   [ ] private
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090517/e959b50c/attachment.htm>