[OpenID] Openid connect and interoperability (today)

Breno de Medeiros breno at google.com
Fri Sep 27 06:29:34 UTC 2013 

Google uses RSA and supplies keys in X.509 self-signed certificates.

On Thu, Sep 26, 2013 at 9:04 PM, n-sakimura <n-sakimura at nri.co.jp> wrote:
> Bunch of us are actualy using RSA.
> I thought Google was also using it in their service but I may be wrong.
>
> Nat
>
>
> (2013/09/27 4:05), Peter Williams wrote:
>
> From a Nat write up (for the 7 billion of us web users who are not
> inherently exceptional), the idtoken seems to be a symmetrically signed jwt
> *in anticipated practice*. Its motivation is as an "integrity check".
>
> If anyone is interested (in a relying party industry perspective) the RSA
> signed token was more interesting, when referencing a x509 cert chain.
> Testable by third parties during offline dispute handling, its indication
> enabled the client to retain and present unforgeable evidence of its
> authority to access/store and even snoop/share on data retrieved from
> certain other endpoints, concerning user x. Typically, those endpoints are
> not even guarded  (by access tokens)
>
> Note , despite being a willing windows developer, I have nothing to do with
> Microsoft - don't be confused by the consumer centric msn.com domain name! I
> played with DSL-based (dsam  pop delivered) pptp VPN in 2001ish to see where
> the surveillance crypto politics & associated engineering was at, in the
> us), and the name stuck.
>
> My assumption is that Microsoft activities with their peers here are being
> done in anticipation of services to be delivered in 1-2 years from now to
> (developer) customers  (per normal engineering cycles).
>
> Sent from my Windows Phone
> ________________________________
> From: Mike Jones
> Sent: 9/26/2013 10:02 AM
> To: peter williams; general at openid net
> Subject: RE: [OpenID] Openid connect and interoperability (today)
>
> There's over a dozen implementations with test sites up at
> http://osis.idcommons.net/.  See the Solutions link and the page about the
> current OpenID Connect interop activities.  (We're currently in the 5th
> round of public interop testing.)
>
> Best wishes,
> -- Mike
> ________________________________
> From: peter williams
> Sent: 9/26/2013 7:49 AM
> To: general at openid net
> Subject: [OpenID] Openid connect and interoperability (today)
>
> One more general question comes to mind. Using rsa-signed jwts, using id
> certs, using access tokens that reference id certs, noting the claim that
> google have deployed openid connect in essence, and noting that facebook
> apparently use an original proprietary version of openid connect, what is
> the state of multi-vendor openid connect deployment?
>
> We almost licensed ping identitys openid module for their federation server,
> once the firm announced oauth v2 conformance and once id figured that
> app/plugin fever had struck in the heart of microsofts Office365 cloud
> service (wherein web-hosted sites can host pages that display in the outlook
> email client, augmenting the email page itself, as rendered by the cloud
> service AND where oauth-like authorization grant and vendor control
> practices govern plugin activation and subscription).  This seemed like a
> good fit...for us...allowing professional data about a "member of realty
> association" to augment the email addressing information.
>
> Ping did their best  to accomodate (since they tend to be market leading and
> put up with me like few others do). But i was stunned to learn that oauth 2
> delivered nothing of any value (to such a multi-vendor concept). The very
> concept was still scoped to private community devices (logically enabling
> controlled realty iphone apps talking to realty apis, aping facebook model
> of world order). Such devices (including windows toolkits making sp website
> into "authorized devices") would still require custom code or realty plugins
> even for that 5 year old world view.
>
> While the ping deal idn't happen for some strange commercial reasons and my
> lack of faith that the market concept was of much importance (why do i want
> to ape google/facebook, being intentionally 5 years late to the party), we
> did go off and extend our websso so that third party authorization servers
> could do their thing, adding oauth2 value. Thus we let microsoft azure cloud
> services for oauth offer such extensibility (effectively adding yap - yet
> another (websso) protocol - to the  family). And duly another realty firm
> with native table/phone apps did connect up .. finding oauth 2 code grant
> flow with rsa-signed jwts "just right".
>
> Which leads me back to the main question. Where is openid connect in
> practice? Is there a groundswell? Is it at the  im explosion stage still
> (wherein aol, yahoo, live refused to connect up...)? Is the technical
> profiling and core interoperability phase done? Is it at the find a vc,
> phase?
>
> Perhaps want i really want to know is when will openid connect be an open
> system? When can i talk to office 365 using my jwts, much as i can talk to
> any webserver on the planet using my ssl x509 client certs?
>
> Or is that the wrong question? Is it _supposed_ to be a closed system, like
> x400/x500, fully distributed but with a hierarchical connectivity mesh
> controlled much public phone systems connect (at a relatively few formal
> connection points)?
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>
>
> --
> Nat Sakimura (n-sakimura at nri.co.jp)
> Nomura Research Institute, Ltd.
> Tel:+81-3-6274-1412 Fax:+81-3-6274-1547
>
> 本メールに含まれる情報は機密情報であり、宛先に記載されている方のみに送信することを意図しております。意図された受取人以外の方によるこれらの情報の開示、複製、再配布や転送など一切の利用が禁止されています。誤って本メールを受信された場合は、申し訳ござ&#1235
>  6;&#124
> 14;せんが、送信者までお知らせいただき、受信されたメールを削除していただきますようお願い致します。
> PLEASE READ:
> The information contained in this e-mail is confidential and intended for
> the named recipient(s) only.
> If you are not an intended recipient of this e-mail, you are hereby notified
> that any review, dissemination, distribution or duplication of this message
> is strictly prohibited. If you have received this message in error, please
> notify the sender immediately and delete your copy from your system.
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>



-- 
--Breno

More information about the general mailing list