<HTML dir=ltr><HEAD></HEAD>
<BODY>
<DIV id=idOWAReplyText10199 dir=ltr><FONT face=Arial color=#000000 size=2>Immad </FONT></DIV>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>Leveraging a custom trustbearer.com consumer (acting as the account linking control point) Ive built a simple account linking service, in the openid vein. Though not shown below, its also capable of persistently linking, if required. Rather than do that (1) Id like to play with ClickPass (acting as the persistence service), and (2) like radius, I want to split who does (linkage and namspace) authorization (Rapattoni) and who does accounting and directed id control (JanRain). For fun, I threw in JanRain's cardspace support.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV><FONT face=Arial size=2><A href="http://rapattoni.trustbearer.com/consumer/?user_openid=myopenid%2ecom&title=OpenId2+account+linking%3cbr%2f%3elogin+as+%22lockbox%22+using+%22sso1%22&redirect=http%3a%2f%2fswmrsso%2erapmlsstg%2ecom%2fsp%2fstartSSO%2eping%3fPartnerIdpId%3drdfgateway%26TargetResource%3dhttp%3a%2f%2flocalhost%3a7056%2frets%2fopenid2%2ffoafupdate" target=_blank>http://rapattoni.trustbearer.com/consumer/?user_openid=myopenid%2ecom&title=OpenId2+account+linking%3cbr%2f%3elogin+as+%22lockbox%22+using+%22sso1%22&redirect=http%3a%2f%2fswmrsso%2erapmlsstg%2ecom%2fsp%2fstartSSO%2eping%3fPartnerIdpId%3drdfgateway%26TargetResource%3dhttp%3a%2f%2flocalhost%3a7056%2frets%2fopenid2%2ffoafupdate</A></FONT>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>1. provide "myopenid.com" as userid (Yahoo style), to invoke directed id at JanRain MyOpenID's AND to use myopenid as the centralized "accounting server" (since they do such a good job of tracking). Leverage MyOpenID as cardspace-specific PEP.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>2. use an already bound infocard to logon to myopenid, getting the benefit of Trusted OS, drivers, desktop etc from my Vista PC. (If someone has an infocard that be controlled by my TPM, or my fingerprintreader or the OpenSC CAPI CSP (talking to a PKCS#15 smartcard applet), let me know!)</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>3. configure myopenid persona to pass the web address of "rapattoni.trustbearer.com/lockbox" back to linking-consumer via sreg, over authenticated channel (*)</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>4. linking-consumer uses custom account linking logic (offloaded to a Rapattoni XACML server from Delegent in .se) that binds the myopenid openid to the target openid namespace, subject to authorization logic policy, as delegated to the linking-consumer</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>5. redirects to Rapattoni auth (to authorize linkage) which is password controlled (in the public example) or musclecard/CAC smartcard/RSASID800 on tthe higher assurance configurations in the rapattoni/trustbearer service.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>6. control returns to linking-consumer, using OOB security channel</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>7 linking consumer redirects to Relying Party, targeting some final webservice (e.g. foafupdate), passing in cleartext linked-id and (private) secuity token as evidence of delegated authN and authZ</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>8. on second and nth pass per browser tabset session, hereon after, linking-consumer recalls linked name for the browser session and does NOT re-prompt Rapattoni for password/smartcard or act as authorization PDP . Only myopenid is always used to effect directed ID "control" and accountability policy. MyOpenID is SUPPOSED to exercise control over whether it shows release screen or (ideally) does auto-release of sreg values.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>(*) JanRain's myopenid state machine seems to get a bit confused, since infocards got added. Doesnt seem to be able to remember "release once, release forever" any longer (at least for my consumer), and upon revoking a the infocard and returning to password auth, on the first time password is used it cites "new infocard enrolled". Also, unable to register my musclecard smartcard's client auth SSL cert on screen that says: enroll SSL client cert.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>What Id like to do is now target a Clickpass server as the final stage access it service - rather than target my http:/localhost semweb server (a step which will obviously fail for everyone but me).</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>Can I play, and target my plaxo account?</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr>
<DIV dir=ltr>
<HR tabIndex=-1>
</DIV>
<DIV dir=ltr><FONT face=Tahoma size=2><B>From:</B> Immad Akhund<BR><B>Sent:</B> Wed 3/19/2008 12:57 PM<BR><B>To:</B> Peter Williams<BR><B>Cc:</B> Martin Atkins; general@openid.net<BR><B>Subject:</B> Re: [OpenID] Clickpass: Making OpenId easier<BR></FONT><BR></DIV></DIV>
<DIV dir=ltr>
<DIV><BR>In terms of your suggestion, I don't quite understand what you mean by "subscription-based RPs" and quite a few of the other terms you use. It is probably more constructive to meet up and discuss things in person and I am sure we would be happy to work with you.<BR><BR>Thanks,<BR>Immad<BR></DIV></DIV></BODY></HTML>