<HTML dir=ltr><HEAD></HEAD>
<BODY>
<DIV id=idOWAReplyText97545 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2></FONT>With the help of the trustbearer folks, we fiddled a little more with the OpenID2 -> SAML (-> opentoken) gateway concept for multiple listing services in the US (a market for brokering home/office sales/purchases).</DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr><A href="http://mls.homepw.org/" target=_blank>http://mls.homepw.org/</A> starts off a demo. Using "Yahoo" directed identity concepts, open IE at this URL for the RP site - which should just redirect to myopenid. The result is a pretty classical username/password login process for the end user. Optionally, the user auth can apply JanRain's very cute phonefactor feature, too. Once one then releases the attributes, the auth + attribute assertions are sent to the MLS webapplication, where account linking occurs (the first time).</DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr>Try it and do provide feedback. There is hardly an openid url in sight, of course. So...this begs the question: "is this true to OpenID"?</DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr>Now in this architecture, there is obviously a lot of trusted chaining going on - using techniques similar to those used in military X.500 networks. The integrity of such a network will surely depends on using classical security techniques, hailing from the SCOMP/Blacker/VPN work of Schell et al. - enforcing label-based integrity policies in distributed systems for WAN/Internet environments.</DIV></DIV></BODY></HTML>