[OpenID] Openid connect and interoperability (today)

n-sakimura n-sakimura at nri.co.jp
Fri Sep 27 04:04:56 UTC 2013 

Bunch of us are actualy using RSA.
I thought Google was also using it in their service but I may be wrong.

Nat

(2013/09/27 4:05), Peter Williams wrote:
> From a Nat write up (for the 7 billion of us web users who are not 
> inherently exceptional), the idtoken seems to be a symmetrically 
> signed jwt *in anticipated practice*. Its motivation is as an 
> "integrity check".
>
> If anyone is interested (in a relying party industry perspective) the 
> RSA signed token was more interesting, when referencing a x509 cert 
> chain. Testable by third parties during offline dispute handling, its 
> indication enabled the client to retain and present unforgeable 
> evidence of its authority to access/store and even snoop/share on data 
> retrieved from certain other endpoints, concerning user x. Typically, 
> those endpoints are not even guarded  (by access tokens)
>
> Note , despite being a willing windows developer, I have nothing to do 
> with Microsoft - don't be confused by the consumer centric msn.com 
> domain name! I played with DSL-based (dsam  pop delivered) pptp VPN in 
> 2001ish to see where the surveillance crypto politics & associated 
> engineering was at, in the us), and the name stuck.
>
> My assumption is that Microsoft activities with their peers here are 
> being done in anticipation of services to be delivered in 1-2 years 
> from now to (developer) customers  (per normal engineering cycles).
>
> Sent from my Windows Phone
> ------------------------------------------------------------------------
> From: Mike Jones <mailto:Michael.Jones at microsoft.com>
> Sent: ?9/?26/?2013 10:02 AM
> To: peter williams <mailto:home_pw at msn.com>; general at openid net 
> <mailto:general at openid.net>
> Subject: RE: [OpenID] Openid connect and interoperability (today)
>
> There's over a dozen implementations with test sites up at 
> http://osis.idcommons.net/.  See the Solutions link and the page about 
> the current OpenID Connect interop activities.  (We're currently in 
> the 5th round of public interop testing.)
>
> Best wishes,
> -- Mike
> ------------------------------------------------------------------------
> From: peter williams
> Sent: 9/26/2013 7:49 AM
> To: general at openid net
> Subject: [OpenID] Openid connect and interoperability (today)
>
> One more general question comes to mind. Using rsa-signed jwts, using 
> id certs, using access tokens that reference id certs, noting the 
> claim that google have deployed openid connect in essence, and noting 
> that facebook apparently use an original proprietary version of openid 
> connect, what is the state of multi-vendor openid connect deployment?
>
> We almost licensed ping identitys openid module for their federation 
> server, once the firm announced oauth v2 conformance and once id 
> figured that app/plugin fever had struck in the heart of microsofts 
> Office365 cloud service (wherein web-hosted sites can host pages that 
> display in the outlook email client, augmenting the email page itself, 
> as rendered by the cloud service AND where oauth-like authorization 
> grant and vendor control practices govern plugin activation and 
> subscription).  This seemed like a good fit...for us...allowing 
> professional data about a "member of realty association" to augment 
> the email addressing information.
>
> Ping did their best  to accomodate (since they tend to be market 
> leading and put up with me like few others do). But i was stunned to 
> learn that oauth 2 delivered nothing of any value (to such a 
> multi-vendor concept). The very concept was still scoped to private 
> community devices (logically enabling controlled realty iphone apps 
> talking to realty apis, aping facebook model of world order). Such 
> devices (including windows toolkits making sp website into "authorized 
> devices") would still require custom code or realty plugins even for 
> that 5 year old world view.
>
> While the ping deal idn't happen for some strange commercial reasons 
> and my lack of faith that the market concept was of much importance 
> (why do i want to ape google/facebook, being intentionally 5 years 
> late to the party), we did go off and extend our websso so that third 
> party authorization servers could do their thing, adding oauth2 value. 
> Thus we let microsoft azure cloud services for oauth offer such 
> extensibility (effectively adding yap - yet another (websso) protocol 
> - to the  family). And duly another realty firm with native 
> table/phone apps did connect up .. finding oauth 2 code grant flow 
> with rsa-signed jwts "just right".
>
> Which leads me back to the main question. Where is openid connect in 
> practice? Is there a groundswell? Is it at the im explosion stage 
> still (wherein aol, yahoo, live refused to connect up...)? Is the 
> technical profiling and core interoperability phase done? Is it at the 
> find a vc, phase?
>
> Perhaps want i really want to know is when will openid connect be an 
> open system? When can i talk to office 365 using my jwts, much as i 
> can talk to any webserver on the planet using my ssl x509 client certs?
>
> Or is that the wrong question? Is it _supposed_ to be a closed system, 
> like x400/x500, fully distributed but with a hierarchical connectivity 
> mesh controlled much public phone systems connect (at a relatively few 
> formal connection points)?
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general


-- 
Nat Sakimura (n-sakimura at nri.co.jp)
Nomura Research Institute, Ltd.
Tel:+81-3-6274-1412 Fax:+81-3-6274-1547

????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
PLEASE READ:
The information contained in this e-mail is confidential and intended for the named recipient(s) only.
If you are not an intended recipient of this e-mail, you are hereby notified that any review, dissemination, distribution or duplication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately and delete your copy from your system.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20130927/e492e5de/attachment.html>

More information about the general mailing list