[OpenID] openid 2.1 and geneva - XRI?

Peter Williams pwilliams at rapattoni.com
Sun May 17 19:46:56 UTC 2009 

AD http://en.wikipedia.org/wiki/Active_Directory - read "Directory"

RMS http://en.wikipedia.org/wiki/Windows_Rights_Management_Services - read short-life X.509 certs imposing usage limits on forwarded assertions (think DRM)

LDS http://technet.microsoft.com/en-us/library/cc779554.aspx - read directory with private schema (e.g. AX schema)

HA is high availability (should be obvious; think load balancing)

FT is fault tolerant (should be obvious; think clustering).

NAC http://en.wikipedia.org/wiki/Network_Access_Control (you dont even get an (https) communications channel until the client PC is in compliance with security posture of the RP site).

UPN  http://www.ietf.org/proceedings/06mar/slides/pkix-4/pkix-4.ppt (think email-like id, tied to other nane forms such as URIs).

Yes, I do tend to overly use cisco, microsoft and general IT security professional terminology. It's the world I live in, along with a large number of other IT professionals who run servers farms - and who will be serving the millions of RPs and the millions of OPs we are working toward, no?  Once it leaves standards forums, openid protocol will have to fit in with the myriad of (multi-vendor) security issues folks deal with.

Compared to the level all you other folks who work here, we in the IT profesional group do tend to come from the lower half of the IT class. But, we count, none the less. I know we tend to frustrate security experts, but try to understand that our interest is good news! We are those who will have to diagnose and fix it all , when it breaks! if we were invading the private working group lists with our low level of sophistication about opend terminology, Id be more sympathetic.  But I for one am not; I stay here at the general level, only, where we have open forum rules. (In the WGs, I assume your security experts run your document-producting committees using a highly business-like management culture.)

Generally, rather than ask 100 web2.0 site users "who has heard of openid?", I'd suspect that folks woudl be better off doing poll of the 50,000 Cisco CCIEs or CCSPs and ask them: what is openid, and have you played with it yet? They are going to be setting the firewall and IPS rules for openid messages, after all. Similarly, Id go ask the 200,000 MCSE and MCITPs - in the micosoft world.  They are going to be setting the policies on all their servers and PCs, after all. Then, do a survey of the real teller of relevance: go see if openid is known to a decent percentage of  CISSPs or CSAs.  They are going to be accrediting or generating the audit results for the world of medium assurance transactions (e.g. credit cards), after all.

If the cisco and microsoft certified crowds are not wanted, choose the equivalents from the linux world. Its the same pool of folk; and the same indicator of adoption, or readiness for adoption.

---------------

PS

I was hoping to see openid "at least mentioned" in the latest work from microsoft on its core identity management platform. Bit disappointed that it's not. Id have expected at least a v0 effort, to showcase that the architecture can gateway openid messages, as well as it gateways all the other largely-equivalent protocols.

________________________________
From: Chris Messina [chris.messina at gmail.com]
Sent: Sunday, May 17, 2009 9:47 AM
To: Peter Williams
Cc: general at openid.net
Subject: Re: [OpenID] openid 2.1 and geneva - XRI?

By the way, just for the record Peter, I understand about 12% of your posts considering all the acronyms that you use.

Is there an index that I could use to expand the acronyms you use in your emails?

Chris

On Sat, May 16, 2009 at 3:14 PM, Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>> wrote:
There is absolutely nothing in the following resources that refers to openid(2). But lets imagine MSFT was going to plugin in openid auth to the Geneva framework (along with all the other largely equivalent websso protocols)

http://blogs.msdn.com/card/archive/2009/05/12/what-s-new-in-geneva-beta-2.aspx

http://blogs.msdn.com/card/archive/2008/11/04/microsoft-geneva-framework.aspx

The (postulated) things I'd find most interesting would be, given their impact on the relevance of openid in an enterprise deployment:-

integration with the AD-RMS server. If used much as RMS is used via ike certs to create ipsec segmentation worlds in NAC environments, openid RPs could be benefitting from claims that are in fact RMS-issued short-lived certs (describing the health compliance of the PC to the RP). Rather than RP worry about password age, it simply processes the health cert (whose issuing policy addresses that compliance issue).

mapping of openid claims onto windows tokens (allowing for onward delegation). This would be variant of what's being done for SAML2 account linking. Obviously, those tokens want to convey the health stading of the clients, so as not to contaminate more trusted networks

the HA and FT architecture, probably based on AD multi-mastering, locator protocols, site replication etc. I.e. what would happen when openid is used in an enterprise context and an app must locate the openid federation gateway nearest to it, given the publication of its transformation capabilities

Will there be a token handler for openid auth, much as there is for saml, secure sessions for web services, kerberos tokens, etc? If nothnig else, openid auth mac'ed assertion blog can be regarded as just another binary blob.

The use of UPN claims, allowing the federated trust model to support websso - as the RP must be AD-powered - so it can evaluate the binding of the UPN to the ldap URI (or a gc URL, or [logically] an http openid URL).

Geneva implements SP-lite (which include mandatory support for logout). Would openid ath 2.1 have to match this minimum?

----

does anyone have any blog-style pointers about Microsoft future directions and XRI 2.0 resolution - probably on a AD-related list?

Will be intresting to see if MSFT creates a world of standalong XRI servers, much as it distinguishes between AD LDS naming contexts apps run for themselves, vs the naming contexts managed by DCs supporting the Windows Network. Id see this as a boon for openid RP webapps, if it were to happen - partcularly when supporting delegation/portability-powered openid communities.

_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net>
http://openid.net/mailman/listinfo/general



--
Chris Messina
Open Web Advocate

factoryjoe.com<http://factoryjoe.com> // diso-project.org<http://diso-project.org> // openid.net<http://openid.net>
This email is:   [ ] bloggable    [X] ask first   [ ] private

More information about the general mailing list