<HTML dir=ltr xmlns:o = "urn:schemas-microsoft-com:office:office"><HEAD></HEAD>
<BODY style="WORD-WRAP: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space">
<DIV dir=ltr>
<HR tabIndex=-1>
</DIV>
<DIV dir=ltr><FONT face=Tahoma size=2><B>From:</B> Johannes Ernst<BR><B>Sent:</B> Sat 3/22/2008 12:01 AM<BR><B>To:</B> Peter Williams<BR><B>Cc:</B> openid-general List<BR><B>Subject:</B> Re: [OpenID] Thinking About OpenID.com<BR></DIV></FONT>
<DIV dir=ltr> </DIV>
<DIV dir=ltr>Apologies, but I have no idea what you just said, neither syntactically nor semantically ;-) </DIV>
<DIV dir=ltr>
<HR tabIndex=-1>
</DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr>Johannes: </DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr>Let me atone by writing a more general discussion piece using informal language, focusing attention ultimately on OpenID2 and publickey.</DIV>
<DIV dir=ltr>
<DIV id=idOWAReplyText69339 dir=ltr>
<DIV dir=ltr> </DIV>
<DIV dir=ltr>--------</DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt; LINE-HEIGHT: normal"><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'; mso-fareast-font-family: 'Times New Roman'">Now that the players in the Internet2 universe can talk SAML2 with the now released Shib2.0.0 IDP software set, I looked again at the Shibboleth project. In particular, I studied the _older_, pre-SAML2, notions of federation and discovery. Drawing parallels between the discovery processes of OpenID2 and Shib1.3 discovery is easy to do. Criteria distinguishing between symmetrickey vs. publickey control principles seem to fall out of the analysis, quite naturally. </SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt; LINE-HEIGHT: normal"><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'; mso-fareast-font-family: 'Times New Roman'"></SPAN> </P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt; LINE-HEIGHT: normal"><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'; mso-fareast-font-family: 'Times New Roman'">In OpenID2, folk are long used to the notion that the OpenID auth flow is merely one example of the general sp-initiated flow of the "WebSSO profile", long standardized and well commercialized. In the Openid2 variant of this flow pattern, once the user initiates the flow and gets to control the initial discovery hints -- from the highly, telco-focussed XRD -- the RP gets to talk to an OP. We also know that the OP may refer the RP to another OP, merely by returning a claimed_id that does not match that one requested. In essence, it is acting as a discovery server. its fair to say that the finalized specification of OpenID2 Auth implicitly defines an OP to OP referral process.<o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt; LINE-HEIGHT: normal"><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'; mso-fareast-font-family: 'Times New Roman'"> <o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt; LINE-HEIGHT: normal"><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'; mso-fareast-font-family: 'Times New Roman'">In the Shib1.3 world, apparently, the "AuthnRequest" message from an SP to an IDP can be "intercepted" by a discovery server. The message is chained off to the IDP - upon completion of discovery logic and user interactions. Clearly, AuthnRequest plays essentially the same role as "auth req" - in OpenID land. Doesn't this imply that the Shib1.3 discovery server is playing largely the same role as the OpenID2 OP discussed above - the one that issues "discovery referrals" to other OPs? <o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt; LINE-HEIGHT: normal"><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'; mso-fareast-font-family: 'Times New Roman'"> <o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt; LINE-HEIGHT: normal"><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'; mso-fareast-font-family: 'Times New Roman'">The main functional plane difference between the Shib1.3 and the OpenID2 notions of IDP/OP discovery seems to lie in the area of using chaining (Shib1.3) vs. referrals/redirects (OpenID2). When analysing the associated control plane, this difference affects the security management properties -- invoking traditional debate over the merits and de-merits of changing’s messaging-security model vs. referral’s channel-security model, accompanied usually by discussion of the pros and cons to each model of either publickey-based, symmetrickey-based, or hybrid crypto control principles. <o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 10pt"><o:p><FONT face=Calibri> </FONT></o:p></P></DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr><BR><BR> </DIV></DIV></DIV></BODY></HTML>