[OpenID] signed json in javascript, relationship to openid?

Wed Oct 12 17:56:12 UTC 2011



ive got a user case that is going to take a leaf out of the webid book, and apply it to an (awful, proprietary, realty) SSO scheme design. Enabling it gets use does get us ALL FURTHER AWAY from the (US) national id playn (since the design is not standard, is about SSO, but ius crappy and proprietary). its just beyond my power to get people to buyin to the sso technologies promoted by the national id plan. what I can do is make something of the opportunity. Im going to implement the cipher and protocol handler of the funky scheme in javascript, and have the browser implement the protocol in server-provided page script. The script then implements the funky SSO design, acting like a badly designed protocol message handler. (Think of it as the SSL handshake designed by a 12 year old from the LA school district). But, the point is that the ciphersuite and what is essentially a custom layer 7+ layer protocol will be implemented by the browser, using javascript libraries providing the cipher and method's core. Now, im noting this becuase of its wider rationale. I can build my engine so I deliver to the browser  javascript libraries with other cipher implementations, and scripts implementing other handshakes. And, such handshake may be designed to leverage signed/encrypted JSON as the "generic upper-layer security" framework . Obviously, the javascript code libraries with the cipher can also be signed, and loaded into the browser much as signed java and signed p-codes are done for a decade now in the web. This all gets me to the point, on openid. Here I am NOT doing clasical openid (which is about server->server flows). In fact, Im undermining tha tconcept, by assuming the browser is trustworthy (enough to load code, and then implement a "security protocol" flow, albeit one). What do folks feel about this? is this incompatible with openid? is it part of the movements future? .. to re-cast the trustworthiness of the browser itself? I see postings here about IETF's signed/encrypted JSON blobs (S/MIME ASN.1 avstract transforms done using JSON presentation syntax, now, rather than encoding to more traditional BER/DER) - all of which seems to presage a fundamental shift in how I should be thinking of openid (now it works in production in realty MLS system, from IDPs such as wordpress, Google, Yahoo, etc)    		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20111012/78e752f3/attachment.html>