[OpenID] UCI Idea: An iPhone OP (?)
Paul Madsen
paulmadsen at rogers.com
Wed Mar 3 23:05:52 UTC 2010
Thanks David,
SAML allows that the IDP sign assertions and/or messages.
In this case, the IdP on the phone just uses the RSA keys it has on hand
to do the signing - which are those on the user's SIM. (there are of
course correlation/privacy implications of signing assertions with user
keys)
There are times where its useful to be able to sign a SAML assertion
separate from the message that carries it (if you want to be able to
subsequently use it) - but I dont think this is one of them.
So, I dont see why the fact that OpenID doesnt have something comparable
to 'assertions' would prevent the 'OP on phone' model you're thinking of
paul
On 3/3/2010 3:58 PM, David Fuelling wrote:
> That's incredible, and very cool!!
>
> I don't know that much about SAML, but it seems like a SAML IdP can
> use an individual user's key-pair to create an assertion that an RP
> can use to allow a login (a "signed assertion")?
>
> From TFA: "Then the IdP on the mobile phone creates an SAML assertion
> and signs the assertion with the private key of the mobile phone".
>
> OpenID doesn't have the ability to sign assertions like this, does it?
>
>
> On Wed, Mar 3, 2010 at 12:03 PM, Paul Madsen <paulmadsen at rogers.com
> <mailto:paulmadsen at rogers.com>> wrote:
>
> Hi David, NTT built something like you describe for SAML SSO -
> specifically the scenario you list below in #4
>
> http://www.projectliberty.org/liberty/content/download/3960/26523/file/NTT-SASSO%20liberty%20case%20study.pdf
>
> paul
>
>
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 9.0.733 / Virus Database: 271.1.1/2720 - Release Date: 03/03/10 02:34:00
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20100303/e9e6a14f/attachment.htm>
More information about the general
mailing list