[OpenID] OpenID Providers Invited to Join in an NSTIC Pilot Proposal

John Bradley ve7jtb at ve7jtb.com
Tue Feb 14 17:30:25 UTC 2012 

Peter,

The thing that stopped openID 2.0 from being SP-800-63 LoA2 was the lack of protection of assertions from the Identity provider to the RP (No encryption or TLS protected direct communication)
The thing that also stops it from being LoA 3 is a lack of asymmetric signatures for non repudiation.

Support for PKI as the primary authenticator is the same for both openID 2 and SAML 2, and not one of the considerations.

OpenID Connect http://openid.net/connect/  which is currently being voted on by the membership as an implementers draft addresses both issues.

One might reasonably expect that once openID Connect is an approved specification FICAM will produce a profile of it, perhaps upto LaA 3 non Crypto or LoA 4 with Holder of key.

There is also a openID Connect interop currently taking place amongst a number of the open source implementations http://osis.idcommons.net/wiki/OC3_OpenID_Connect_Interop_3.

Foundation Members should read the proposed spec and vote for or against it as an implementers draft.

The reason for the implementers draft is that it locks in the IPR contributions of all the contributors (Google, MS, Facebook, and Me etc).
It also allows people to work on implementations without the spec changing weekly.

There will likely still be some changes from the implementers draft to the final version based on testing feedback.

We have been working on the specification in the openid-ab WG for several hers now so this should not be a big sup prise to anyone.

Regards
John B.
On 2012-02-14, at 2:09 PM, Peter Williams wrote:

> 
> Well that was interesting.
> 
> 
> 
> The shibolleth folks managed to setup a somewhat false distinction, 2+ years ago, with the help of several UK academics, to establish that the "protocol" of openid (v1 or v2) was inherently limited to LOA1 - by design nature. One sees this division BUILT IN to the ETSI work on nationa-id cards for future-telco, very clearly. Becuase SAML2 CAN be used with PKI, it was able "uniquely" to claim a space of being LOA2+ capable.
> 
> 
> 
> NOw we learn that "openid connect" is not openid-2 (with bells and whistles). its an LOA2-capable definition, per se. Not knowing what openid connect is, I cannot really comment... In our space, we are still considering whether to turn on openid as-is (via the Microsoft STS bridge for websso protocols). openid as conceived is almost viable (now), to boostrap a professional agency/representation relationship.
> 
> 
> 
> This move-up to LOA2 is going to restart a SAML2 war, since openid is not staying in its place (supporting blogging comments, and logon to a billion sites that "dont matter" - a phrase that is (c) UK academia).
> 
> 
> 
> of course the distinction was false all along, but such are government programs - full of falseness and pretense and day-by-day political hashes. Its hard talking 2 storys out of your mouth at the same time - but thats what governing (and pre-competitive funding) is often all about. 
> 
> 
> 
> Perhaps folks here should all disclosure their "review" and 'influence" roles in the NSTIC program. John is quite open and fair and fully disclosed (if with a 6 month delay, so some proper use of FOUO can create effective working conditions for program management). Im not sure about others.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>  		 	   		  
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20120214/b6347c9d/attachment.p7s>

More information about the general mailing list