[OpenID] Switching from OpenID 2.0 to OpenID Connect for Google logins to openid.net

Wed Feb 18 06:29:11 UTC 2015

Hi Peter,

If I understand correctly, SP Affiliation can be achieved by sector
identifier.
See
http://openid.net/specs/openid-connect-registration-1_0.html#SectorIdentifierValidation

For token exchange, IETF OAuth WG is working on a spec.
https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-00

Perhaps this is something your are looking for?

Nat

On Wed Feb 18 2015 at 14:57:51 Peter Williams <home_pw at msn.com> wrote:

>  Saml has a feature that I like, called sp affiliations. In short, if a
> local name binding is assigned by one sp/rp, all other RP in the
> affiliation get the same value.
>
> That is an example of sp centric architecture.
>
> If one has a cluster of gateways (at ip switching points close to a
> distributed set of RPs) it takes quite some engineering to share those
> names, enable a primary RP to assign the names, etc. The process can even
> be security critical, which obviously heightens the engineering left
> further.
>
> One non (saml) standard architecture point can include swapping tokens for
> Kerberos tickets, to leverage Kerberos enforcing functions for delegation
> of privilege in  operating system (networked) trusted computing bases.
>
> Those two examples hide security information from idps, and also prepare
> for an easy exit of an idp from the sp centric architecture (when an idp
> changes rules, say, in an unacceptable manner to the sp affiliation.)  They
> limit dependency, at a policy level.
>
> While it's wonderful that a contrasting idp-centric architecture exists,
> allowing such as a media rendering box (eg appletv) to show such as a
> YouTube app that signs up the device to YouTube subscription via a pc-based
> process *using oauth to orchestrate things*, not all web security models
> are about devices and apps, or app subscriptions to media, or syncing such
> subscriptions across multiple devices.
>
>
>
>
> Sent from my Windows Phone
>  ------------------------------
> From: Nat Sakimura <n-sakimura at nri.co.jp>
> Sent: ‎2/‎17/‎2015 8:55 PM
> To: Peter Williams <home_pw at msn.com>
> Cc: Manger, James <James.H.Manger at team.telstra.com>;
> openid-general at lists.openid.net
> Subject: Re: [OpenID] Switching from OpenID 2.0 to OpenID Connect for
> Google logins to openid.net
>
>  Hi Peter,
>
> Could you elaborate on "this area" a bit more, please?
> We could certainly consider additional activities.
>
> Best,
>
> Nat
>
> On Tue, 17 Feb 2015 09:54:32 -0800
> Peter Williams <home_pw at msn.com> wrote:
>
> > Shame openid foundation doesn't lead in this area, formentung common
> > architecture practices for RP communities, that are independent of
> > idp/cloud vendor.
>
>
> --
> Nat Sakimura (n-sakimura at nri.co.jp)
> Nomura Research Institute, Ltd.
>
>  PLEASE READ:
> The information contained in this e-mail is confidential and intended
> for the named recipient(s) only. If you are not an intended recipient
> of this e-mail, you are hereby notified that any review, dissemination,
> distribution or duplication of this message is strictly prohibited. If
> you have received this message in error, please notify the sender
> immediately and delete your copy from your system.
>   _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20150218/5ee1392b/attachment.html>