[OpenID] OpenID Providers Invited to Join in an NSTIC Pilot Proposal

Francisco Corella fcorella at pomcor.com
Tue Feb 14 19:42:11 UTC 2012 

John,

> The thing that stopped openID 2.0 from being SP-800-63 LoA2 was the
> lack of protection of assertions from the Identity provider to the RP
> (No encryption or TLS protected direct communication)

In the FICAM profile of OpenID 2.0, which you co-edited, I believe the
assertions are sent with TLS protection from the IdP to the browser
and from the browser to the RP.  I realize that's indirect rather than
direct communication.  But why the insistence on direct communication?
The browser has to be trusted anyway.

Francisco




>________________________________
> From: John Bradley <ve7jtb at ve7jtb.com>
>To: Peter Williams <home_pw at msn.com> 
>Cc: openid-general at lists.openid.net 
>Sent: Tuesday, February 14, 2012 9:30 AM
>Subject: Re: [OpenID] OpenID Providers Invited to Join in an NSTIC Pilot Proposal
> 
>Peter,
>
>The thing that stopped openID 2.0 from being SP-800-63 LoA2 was the lack of protection of assertions from the Identity provider to the RP (No encryption or TLS protected direct communication)
>The thing that also stops it from being LoA 3 is a lack of asymmetric signatures for non repudiation.
>
>Support for PKI as the primary authenticator is the same for both openID 2 and SAML 2, and not one of the considerations.
>
>OpenID Connect http://openid.net/connect/  which is currently being voted on by the membership as an implementers draft addresses both issues.
>
>One might reasonably expect that once openID Connect is an approved specification FICAM will produce a profile of it, perhaps upto LaA 3 non Crypto or LoA 4 with Holder of key.
>
>There is also a openID Connect interop currently taking place amongst a number of the open source implementations http://osis.idcommons.net/wiki/OC3_OpenID_Connect_Interop_3.
>
>Foundation Members should read the proposed spec and vote for or against it as an implementers draft.
>
>The reason for the implementers draft is that it locks in the IPR contributions of all the contributors (Google, MS, Facebook, and Me etc).
>It also allows people to work on implementations without the spec changing weekly.
>
>There will likely still be some changes from the implementers draft to the final version based on testing feedback.
>
>We have been working on the specification in the openid-ab WG for several hers now so this should not be a big sup prise to anyone.
>
>Regards
>John B.
>On 2012-02-14, at 2:09 PM, Peter Williams wrote:
>
>> 
>> Well that was interesting.
>> 
>> 
>> 
>> The shibolleth folks managed to setup a somewhat false distinction, 2+ years ago, with the help of several UK academics, to establish that the "protocol" of openid (v1 or v2) was inherently limited to LOA1 - by design nature. One sees this division BUILT IN to the ETSI work on nationa-id cards for future-telco, very clearly. Becuase SAML2 CAN be used with PKI, it was able "uniquely" to claim a space of being LOA2+ capable.
>> 
>> 
>> 
>> NOw we learn that "openid connect" is not openid-2 (with bells and whistles). its an LOA2-capable definition, per se. Not knowing what openid connect is, I cannot really comment... In our space, we are still considering whether to turn on openid as-is (via the Microsoft STS bridge for websso protocols). openid as conceived is almost viable (now), to boostrap a professional agency/representation relationship.
>> 
>> 
>> 
>> This move-up to LOA2 is going to restart a SAML2 war, since openid is not staying in its place (supporting blogging comments, and logon to a billion sites that "dont matter" - a phrase that is (c) UK academia).
>> 
>> 
>> 
>> of course the distinction was false all along, but such are government programs - full of falseness and pretense and day-by-day political hashes. Its hard talking 2 storys out of your mouth at the same time - but thats what governing (and pre-competitive funding) is often all about. 
>> 
>> 
>> 
>> Perhaps folks here should all disclosure their "review" and 'influence" roles in the NSTIC program. John is quite open and fair and fully disclosed (if with a 6 month delay, so some proper use of FOUO can create effective working conditions for program management). Im not sure about others.
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>>                            
>> _______________________________________________
>> general mailing list
>> general at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-general
>
>
>_______________________________________________
>general mailing list
>general at lists.openid.net
>http://lists.openid.net/mailman/listinfo/openid-general
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20120214/e7dbe01f/attachment.html>

More information about the general mailing list